Skillv1.0.1

ClawScan security

Math Utils Native · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 11, 2026, 5:05 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says (runs native CLI calculators) but its implementation concatenates user-provided expressions into shell commands with no sanitization, allowing arbitrary command execution on the host — proceed with caution.
Guidance: This skill evaluates math expressions by building shell/PowerShell commands from the input and running them with execSync. That means a malicious or malformed expression can inject arbitrary shell commands on the host (e.g., expressions containing ;, ``, $(), backticks, quotes, or other metacharacters). If you plan to install or run this skill, only do so on an isolated, non-production host or container. Prefer safer alternatives: use a dedicated math parser library (e.g., decimal.js, mathjs) or evaluate expressions in a sandboxed process; if you must keep the current approach, apply strict input validation/whitelisting (allow only digits, whitespace, parentheses, and a limited set of operators) and avoid passing user input into a shell string—use execFile/spawn with arguments or a library that evaluates expressions without invoking a shell. If you need help hardening this skill, ask for specific code changes (e.g., a sanitized evaluator or replacement with a trusted math library).

Purpose & Capability: okName/description match the implementation: it executes local CLI tools (bc, python3, PowerShell) to compute expressions. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: concernSKILL.md explicitly instructs executing local CLI commands to evaluate expressions. The shipped main.js directly interpolates the supplied expression into shell commands (execSync with a single command string) without validation or sanitization, creating a command-injection risk. The instructions do not mention input validation, sandboxing, or safety constraints.
Install Mechanism: okNo install spec (instruction-only + small code file). Nothing is downloaded or installed by the skill, so there is no supply-chain install risk here.
Credentials: okThe skill requests no environment variables, credentials, or config paths — appropriate and minimal for the stated purpose.
Persistence & Privilege: okalways is false and the skill does not request any special persistent or cross-skill privileges. It runs on-demand and does not modify other skills or system-wide settings.