Skillv1.1.0

ClawScan security

Skillguard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 24, 2026, 12:37 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, requirements, and runtime instructions are consistent with an auditing wrapper that sends skill source code to a third‑party SkillGuard API before installing; the main risk is intentional privacy/exfiltration of source to that external endpoint (which the SKILL.md explicitly discloses).
Guidance: This tool does what it says: it fetches skill source (or reads a local file) and sends the full contents to https://api.agentsouls.io for analysis. Before using it, consider: (1) Do you trust the SkillGuard operator? The audit will transmit full source code (including any accidentally committed secrets) to that external service. The SKILL.md claims the code is analyzed in memory and not stored — you must trust that claim. (2) Inspect audit.sh and safe-install.sh yourself (they are included and readable) so you know exactly what will be sent and when clawhub is invoked. (3) Use the provided self‑hosting option or manual review if you cannot expose code externally. (4) Be cautious with the --force flag in safe-install.sh (it bypasses the audit). If these privacy/trust tradeoffs are acceptable, the skill is coherent and appropriate for the stated purpose.

Review Dimensions

Purpose & Capability: okName/description match the behavior: the scripts fetch skill files via clawhub, aggregate source, and POST them to https://api.agentsouls.io for analysis. Required binaries (curl, jq, clawhub) are appropriate and proportionate to that purpose.
Instruction Scope: noteThe runtime behavior intentionally reads full skill source (SKILL.md and files with .sh/.js/.ts/.py/.md) and transmits it to the external audit API. This is coherent with an audit tool, but it means the skill will send full source code (including any secrets inadvertently committed) off‑host. The SKILL.md explicitly discloses this, which mitigates surprise but does not eliminate privacy risk.
Install Mechanism: okNo remote install/downloads or archives; this is an instruction+script bundle. The scripts are plain shell (audit.sh, safe-install.sh) and do not fetch or execute arbitrary remote code themselves. Risk from installation is low because there is no extract/download install mechanism in the skill metadata.
Credentials: noteNo environment variables or credentials are required by the skill. However, the audit relies on a third‑party endpoint (api.agentsouls.io) to receive full source code; that external trust relationship is the primary sensitive requirement. The scripts do not request unrelated credentials, but they will transmit whatever code you give them to the external API.
Persistence & Privilege: okThe skill does not request permanent inclusion (always:false). It does not modify other skills or system configuration. The wrapper execs clawhub install to perform installations — expected behavior for a pre‑install audit wrapper.