Skillv0.1.0

ClawScan security

Cluster Agent Swarm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 12:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (coordinated cluster operations) aligns with the tools and behaviors described, but the runtime instructions imply access to highly privileged cluster and cloud credentials and suggest installing code from a third‑party GitHub repo while declaring no required credentials or install artifacts — the gaps merit caution.
Guidance: This skill claims broad, privileged cluster control but does not declare what credentials or config paths it needs and recommends pulling code from an external GitHub repo. Before installing: (1) Review the referenced GitHub repository and the actual skill code (do not run 'npx' blindly); (2) Verify exactly which credentials and kubeconfigs the skill will use and ensure least-privilege service accounts are provided (avoid cluster-admin); (3) Run first in an isolated/staging environment and audit actions/logs; (4) Require human approval gating for any destructive operations and confirm the promised 'cannot do' guardrails are enforced in code; (5) Prefer explicit environment-variable declarations and documented auth flows (e.g., use dedicated service accounts, short-lived tokens) — if the author cannot provide these, treat the package as higher risk.

Review Dimensions

Purpose & Capability: noteThe name/description (multi-agent cluster operations) matches the listed tools (kubectl, oc, argocd, helm, kustomize, cloud CLIs). However, the skill does not declare any required credentials or config paths even though legitimate operation requires kubeconfigs and cloud provider credentials; that omission is unexpected and should be explained.
Instruction Scope: noteSKILL.md instructs agents to read cluster state, run GitOps operations, scan images/SBOMs, and run runbooks. Those actions legitimately require access to cluster state and registries. The instructions do not explicitly reference which local files or env vars (e.g., ~/.kube/config, KUBECONFIG, AWS/GCP creds, ArgoCD tokens) will be read or required, creating ambiguity about what the agent will access at runtime.
Install Mechanism: noteThe packaged skill is instruction-only (no install spec). The document recommends installing via 'npx skills add https://github.com/…', which would fetch and run code from a third‑party GitHub repository. Fetching runtime code from an external repo is common but increases risk if the repository is unvetted; no checksum, release tag, or verified publisher is provided.
Credentials: concernDespite describing actions that require privileged credentials (kubeconfig, cloud provider credentials, registry credentials, ArgoCD tokens), the skill declares no required environment variables or primary credential. Asking to operate on clusters without declaring expected credentials is disproportionate and obscures what sensitive secrets the agent will need or access.
Persistence & Privilege: notealways:false (good). The metadata includes heartbeat schedules causing periodic autonomous activity; autonomous invocation is platform-default but combined with missing credential declarations and broad operational scope increases the blast radius. The skill also documents auto-subscription behavior (agents receive all comments once subscribed), which could cause persistent collection of task/comment data.