Back to skill
Skillv1.0.4
ClawScan security
Ai Company V1.0.4 Temp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 5:15 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's manifest, prompts, and references largely match the claimed 'unified company' purpose, but there are provenance gaps and a few mismatches (auto-update / local scripts, high-privilege actions, and optional API keys not declared) that warrant caution before installing or enabling autonomous use.
- Guidance
- Plain-language checklist before installing or enabling this skill: - Provenance: The skill lists an owner ID but no homepage and no clear publisher identity; ask the publisher for the canonical repository, maintainers, and release signing before trusting it in production. - Review auto-update/manual scripts: README references a PowerShell auto-update script and an automatic weekly update process. Do not run or enable auto-update until you review the update script and verify its source, contents, and signing. Prefer manual updates after code review. - Limit autonomy: By default this platform allows autonomous invocation. Given this skill's ability to 'create agents', 'deploy to production', or invoke crisis commands, consider disabling autonomous invocation or requiring explicit human approval for any deployment/agent-creation workflows. - Sandbox first: Run the skill in an isolated environment (test account, VM/container) and with restricted filesystem and network access. Verify that it does not try to access ~/.ssh, ~/.aws, /etc/passwd, or other host secrets. - Environment variables: The repo mentions optional API keys (geolocation, weather, etc.). Only provide minimal, scoped keys in separate, least-privilege accounts and avoid reusing high-privilege credentials; do not export credentials globally to the agent runtime unless necessary. - Audit and logging: Ensure the platform logs all actions the skill performs, and require audit trails for any high-impact actions (deployments, shutdowns, budget approvals). - Review the references: The repository contains detailed policies (crisis whitelist, security gates). Read the security-and-compliance, platform/infrastructure, and auto-update sections to confirm the behavior matches your expectations. - Ask for missing artifacts: Request a signed release, changelog, or publisher contact and ask whether the auto-update and PowerShell scripts are required and for their source. If you can't obtain a trustworthy source and signed releases, treat the skill as untrusted. If you want, I can prepare a short checklist or a set of test prompts to run the skill safely in a sandbox (e.g., exercise information/location/time APIs, simulate a budget approval with low dollar amounts, and verify the skill refuses to read host secrets).
- Findings
[no_findings_instruction_only] expected: The regex-based scanner had no code files to analyze; this is an instruction-only skill. Absence of findings is not proof of safety — the security surface is the SKILL.md and the included prompts/references.
Review Dimensions
- Purpose & Capability
- noteThe name/description (unified AI company) aligns with the large collection of department references, prompts, and workflows provided. The repository contains extensive department specs, templates, and operational workflows consistent with the stated purpose. However, the README and SKILL.md reference auto-update scripts (a PowerShell path), VirusTotal/ClawHub verification, and capabilities like 'agent creation', 'production deployment', and 'system-wide shutdown/restart commands' — these are high-impact operational capabilities that are not supported by any install spec or declared permissions. That gap (capability described but not accompanied by clear, explicit install/runtime requirements or provenance) is unexpected and thus flagged as a note.
- Instruction Scope
- noteSKILL.md and the bundled prompts instruct the agent to read the repository's references and run department-specific workflows (load spec, compliance checks, execute, post-check, report). The instructions explicitly prohibit eval/exec/remote loading and direct not to access ~/.ssh or ~/.aws in robustness checks, which is appropriate. At the same time the references describe services that may require system-level data (GPS/WiFi/system location, NTP) and optional API keys (e.g., GOOGLE_GEOLOCATION_API_KEY), and the skill's workflows include 'agent creation' and 'production deployment' steps. The instructions do not explicitly tell the agent to read arbitrary host files, but the presence of high-privilege operational actions in the workflows means the agent could be expected (by a user) to perform system-level operations — this is a scope expansion that should be constrained and documented by the publisher.
- Install Mechanism
- okThere is no install spec and no code files that would be downloaded and executed by the skill. That lowers risk. The README includes a manual git clone and copy-to-skills-folder instruction and mentions a PowerShell manual-update invocation; those are documentation items but not enforced install steps. Because nothing is installed automatically by the skill manifest, install-mechanism risk is low — but the README's auto-update and ps1 script mention should be audited if you plan to run them.
- Credentials
- noteThe published skill declares no required environment variables, credentials, or config paths (proportionate to an instruction-only skill). Nonetheless multiple reference files mention optional API keys (Google geolocation, MLS_API_KEY, external weather/time APIs) and a PowerShell auto-update script path. The skill not declaring any primaryEnv while referencing optional keys and an auto-update script is a mild inconsistency: optional keys are reasonable, but the lack of explicit declaration or guidance about which variables are actually used at runtime can lead to accidental credential exposure if users set global env vars without scoping them.
- Persistence & Privilege
- concernalways is false (good) and disable-model-invocation is false (normal). However the content permits high-privilege outcomes (agent creation, skill building, production deployment, crisis 'system-wide shutdown/restart commands' in the whitelist). Because the skill can be invoked autonomously by default, and because the repository suggests auto-update and local script execution paths (PowerShell script), there is a non-trivial privilege surface if this skill is granted autonomous runtime or file-system access. Combined with the unknown publisher/homepage and lack of provenance, that increases risk and justifies caution.