Skillv0.2.1

ClawScan security

Pg Update · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 21, 2026, 10:34 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches an updater for the ProxyGate CLI/SDK, but metadata is inconsistent (it doesn't declare required binaries) and it includes an auto-check script that will write to your Claude cache and may be run at session start — these mismatches and the ability to run npm installs warrant caution.
Guidance: This skill appears to do what it says (check and install updates for the ProxyGate CLI/SDK), but there are some metadata inconsistencies and operational risks you should consider before installing: - Metadata mismatch: SKILL.md and the bundled script call 'proxygate', 'npm', and optionally 'pnpm', yet the skill metadata declares no required binaries. Confirm you have Node/npm/pnpm and proxygate installed and that the skill author intentionally omitted these requirements. - Global installs: The skill tells the agent to run 'npm install -g @proxygate/cli@latest' and to modify project dependencies. Global and project npm installs can run package install scripts with arbitrary code — verify the package source (@proxygate on npm) and prefer to run upgrades manually if you don't trust automatic installs. - Auto-check script: scripts/check-update.sh writes to ~/.claude/cache and the file header says it runs on SessionStart. Ask the author how/when that script will be invoked. If you do not want autonomous checks or automatic installs, disable model/skill autonomy or run the steps manually. - Safety steps: inspect the @proxygate packages on the npm registry before upgrading; run npm installs interactively in a terminal you control; back up any important local config (e.g., ~/.proxygate/config.json) before upgrading; and request the skill author to update metadata to list required binaries and to document whether the check script is automatically executed on session start. If the author clarifies the metadata (adds required binaries) and documents invocation behavior, the skill would be coherent and lower-risk. Until then, treat it with caution and consider running updates yourself rather than allowing autonomous agent installs.

Review Dimensions

Purpose & Capability: concernThe skill claims to update the ProxyGate CLI/SDK, which legitimately requires the proxygate binary and a Node/npm (or pnpm) toolchain. However, the skill's metadata lists no required binaries or environment variables despite SKILL.md and the included script invoking proxygate, npm, and pnpm. This is an incoherence in declared requirements vs. actual actions.
Instruction Scope: noteThe SKILL.md instructions stay within the updater's purpose (checking versions via npm view, running npm install -g, updating SDKs, refreshing skills, clearing a cache file). They do cause system changes (global npm installs, modifying project deps) and delete a cache file in ~/.claude/cache; those are expected for an updater but are sensitive operations and should be explicitly disclosed in metadata.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes supply-chain risk from the skill package itself. The included script makes network calls (npm view) and the runtime steps instruct npm/pnpm installs, so the main risk is the normal npm supply-chain risk from installing @proxygate/cli/@proxygate/sdk — expected for an updater but worth highlighting.
Credentials: okThe skill does not request credentials or environment variables. It references user-local paths (~/.claude/cache and, in docs, ~/.proxygate/config.json) but does not attempt to read secret environment variables. No disproportionate credential access is requested.
Persistence & Privilege: notealways is false (good). The included script's header claims it "runs on Claude Code SessionStart" and it writes to ~/.claude/cache/proxygate-update-check.json; metadata does not declare automatic session-start execution. Because the agent may be allowed to invoke skills autonomously (disable-model-invocation is false), the agent could run the updater or the check script without clear user-visible consent — this combination increases risk and should be clarified.