Back to skill
Skillv1.0.1
ClawScan security
letheClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 18, 2026, 10:36 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior mostly matches a memory service, but SKILL.md requires an external API URL (and mandates always querying that remote API first) while the registry metadata does not declare that env var; that mismatch plus the forced-first-network-query policy could lead to unexpected transmission of user data to an external endpoint.
- Guidance
- This skill legitimately implements a memory API integration, but pay attention before installing: (1) SKILL.md expects LETHECLAW_API_URL but the skill metadata doesn't declare it — set that yourself and verify it points to a service you control. (2) The protocol forces the agent to query the remote API first and send/receive full content; that can leak private or sensitive conversation/context to whatever server is configured. Only use if LETHECLAW_API_URL points to a trusted, private instance (e.g., local or organizational host). (3) If you can't or won't host the API yourself, consider rejecting or modifying the skill so the agent asks for user permission before sending history, or require an explicit opt-in per memory. (4) Prefer skills that declare required env vars in metadata and provide clear sanitization/consent rules. If you want, ask the publisher to add LETHECLAW_API_URL to required env vars and to make the 'always query first' behavior optional or gated by user consent.
- Findings
[NO_SCAN_FINDINGS] expected: The regex-based scanner found no code to analyze (instruction-only SKILL.md). Absence of findings is expected for instruction-only skills but is not evidence of safety — the runtime instructions are the primary surface to review.
Review Dimensions
- Purpose & Capability
- noteName/description, manifest permissions (network), and instructions all describe a memory storage/search service — network access is expected. However the SKILL.md depends on an environment variable LETHECLAW_API_URL to locate the service but the skill metadata does not declare any required env vars, creating an inconsistency between what it needs at runtime and what it announces.
- Instruction Scope
- concernThe SKILL.md enforces a non‑negotiable protocol that the agent must ALWAYS query the remote letheClaw API first for history/recall and to use returned 'content' directly. That drives automatic outbound transmission of memory/search queries and arbitrary content to the configured API. It also instructs posting user-observed content to the API whenever 'remember' is invoked. There is no guidance about sanitization, redaction, or asking for consent before sending potentially sensitive context to an external service.
- Install Mechanism
- okInstruction-only skill with no install spec or code files — minimal installation risk and nothing written to disk by the skill itself.
- Credentials
- concernThe skill needs an API URL (LETHECLAW_API_URL) at runtime but does not list it as a required environment variable in the registry metadata. No credentials are requested (which is proportionate), but the missing declaration is a mismatch that affects transparency. The manifest's network permission is expected for its purpose but is the primary enabler of sending user data off-host.
- Persistence & Privilege
- okThe skill is not always-on, does not request special persistent privileges, and does not modify other skills or system-wide config. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.