Back to skill
Skillv2.0.1
ClawScan security
Ai Company Cqo 2.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 19, 2026, 10:58 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement the stated CQO quality-checking purpose and includes a local quality-gate checker, but there are metadata inconsistencies and a few privileges (broad file-read + mcp subagent/session permissions) that merit caution before installation.
- Guidance
- This package appears to implement a legitimate QA/CQO workflow and includes a local 'quality_gate_checker' tool that scans skill files for secrets and dangerous code patterns — that behavior matches the stated purpose. Before installing, verify the author/source and resolve the inconsistent version metadata (registry vs files). Be cautious because the skill has generic file read permission and mcp rights (sessions_send, subagents): don't run it pointed at sensitive system paths or '/' and prefer running the included Python checker manually in a restricted sandbox first to review its output. If you plan to let the agent invoke this skill autonomously, consider whether you trust it to spawn subagents; if not, disable autonomous invocation or remove the subagent permission. Finally, inspect the full quality_gate_checker.py (it's present in tools/) to confirm its reporting behavior and that it does not exfiltrate data — the package shows no network calls, but manual review/sandbox execution will reduce risk.
Review Dimensions
- Purpose & Capability
- noteThe skill's files (long SKILL.md describing CQO processes plus a tools/quality_gate_checker.py) are coherent with the stated purpose of implementing QA gates and automated checks. However metadata versions are inconsistent across places: registry metadata lists version 2.0.1, SKILL.md frontmatter shows 2.3.0, meta.json in the archive shows 1.1.0, and _meta.json shows 2.0.0 — this mismatch is a sign of sloppy packaging or incomplete publishing and should be verified.
- Instruction Scope
- concernThe included Python tool scans files under a provided path and searches for 'sensitive' strings and dangerous code patterns. That behavior is expected for a quality gate tool, but because the manifest grants generic file read permission the tool (or the agent when invoking it) could be pointed at arbitrary filesystem locations, potentially exposing sensitive files if misused. The skill also declares mcp permissions (sessions_send, subagents) which enable spawning or communicating with subagents — plausible for cross-agent consensus but increases the attack surface if misused. The SKILL.md itself does not request external network access or credentials.
- Install Mechanism
- okNo install spec or external downloads; skill is instruction-plus-local-tool only. No remote code fetchers or archive extraction were found in the package.
- Credentials
- okThe skill requests no environment variables or external credentials. The quality checker contains regexes to detect common secret patterns (API keys, AWS keys, GH tokens) but it does not request or embed credentials itself. The absence of credential requests is proportionate to its purpose.
- Persistence & Privilege
- notealways is false (good). Autonomous invocation (disable-model-invocation: false) is the platform default. The mcp permissions to send sessions and create subagents are notable: they are reasonable for a CQO coordinating multi-agent validation, but they grant the skill the ability to spawn/communicate with subagents which increases potential impact if the skill is malicious or buggy.