Skillv2.0.1

ClawScan security

Ai Company Cto 2.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 10:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (CTO / governance) is plausible, but the runtime instructions declare broad file, network and subagent permissions without concrete constraints — proportionate for orchestration but potentially risky and open-ended.
Guidance: This skill reads like a legitimate high-level CTO/governance playbook and is instruction-only (no installer or code). However, its metadata requests broad runtime permissions (read/write files, network/API access, and ability to spawn subagents). Before installing or enabling autonomous use: 1) Confirm you trust the skill owner/source (source: unknown). 2) Limit permissions: run in a sandbox or deny file/network/subagent permissions until reviewed. 3) If you must enable network or file access, restrict to explicit paths/hosts and enable auditing/logging. 4) Avoid granting it access to sensitive credentials or production systems until you test behavior on a non-production copy. 5) Consider requiring human-in-the-loop approvals for any high-risk actions (writes, deletions, or new subagent creation). These steps will reduce the risk that an open-ended governance skill performs unintended or privileged operations.

Review Dimensions

Purpose & Capability: noteName/description (AI Company CTO — system architecture, governance, orchestration) align with an ability to read/write artifacts, call APIs, and coordinate agents. The skill declares dependencies on other internal company skills (ceo, ciso, hq, etc.), which fits a cross-functional CTO role. There are no required binaries or environment variables, which is consistent for a policy/architecture instruction-only skill.
Instruction Scope: noteSKILL.md is largely high-level governance, processes, templates and orchestration guidance — it does not embed shell commands, credentials exfiltration code, or references to unrelated system paths. However the instructions are broad and intended to drive operational changes (deploy, configure, govern AI agents). Because the skill is open-ended, an agent following it could legitimately be instructed to read/write files or call network APIs; the guidance contains no strict limits on what files/endpoints to touch.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is low-risk from an install perspective; nothing is downloaded or written by an installer step.
Credentials: concernThe skill declares no required environment variables or credentials (good), but the embedded metadata requests permissions: files: [read, write], network: [api], and mcp: [sessions_send, subagents]. Those permissions are powerful and expand the agent's ability to access local files, call arbitrary APIs, and spawn/coordinate subagents. While these capabilities can be justified for a CTO/orchestrator role, they are broad and not scoped to specific paths, hosts, or services — increasing potential for misuse or accidental data exposure.
Persistence & Privilege: notealways:false (good). The skill allows normal autonomous invocation (disable-model-invocation:false), which is platform default. The notable privilege is the declared mcp capability to send sessions and spawn subagents — combined with autonomous invocation this increases blast radius if the skill is granted the declared permissions. There is no sign the skill modifies other skills' configs or requests permanent installation.