Skill Guard 1.0.2
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s security-scanning purpose is coherent, but its installer script has unsafe unvalidated file deletion paths and the package provenance/dependency handling is unclear.
Do not treat this as malicious, but review carefully before use. If you install it, only pass normal ClawHub slugs you trust, avoid --force and --skip-scan unless you understand the impact, and prefer a patched version that validates paths, pins mcp-scan, and fixes the metadata/provenance mismatch.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken slug containing path traversal could cause deletion outside the staging or skills folder, especially when --force is used.
The command-line slug is inserted into recursive deletion paths without slug validation, path normalization, or a check that the resolved path remains under the intended directory.
SKILL_SLUG="$1" ... rm -rf "$STAGING_DIR/skills/$SKILL_SLUG" ... rm -rf "$SKILLS_DIR/$SKILL_SLUG"
Validate slugs against the expected ClawHub format before any file operation, canonicalize paths with realpath, verify containment under the staging/skills directory, and avoid rm -rf on untrusted path components.
Users have less assurance that the reviewed package, publisher, and version are the same ones they intended to install.
These self-declared values conflict with the supplied registry metadata, which lists a different owner ID, slug, and version.
"ownerId": "kn7dwht9vrea13nnnzsgdjtrhh80ksm3", "slug": "skill-guard", "version": "1.0.2"
Align registry and package metadata, publish from a verifiable source, and provide a homepage or repository so users can confirm provenance.
The code that actually performs scanning can change independently of this skill, which affects reproducibility and supply-chain assurance.
The scanner dependency is fetched/executed as the latest version at runtime. This is central to the skill’s purpose, but it is not pinned to a reviewed version.
scan_output=$(uvx mcp-scan@latest --skills "$staged_path" 2>&1)
Pin mcp-scan to a specific reviewed version and declare required binaries/dependencies in metadata.
The phrase may trigger prompt-injection detectors, but in context it appears educational rather than an attempt to control the agent.
This prompt-injection wording is used as explanatory threat content for a security scanner, which explains the static scan hit.
Prompt injections — hidden "ignore previous instructions" attacks
Keep adversarial examples clearly escaped in code blocks or test fixtures to reduce scanner ambiguity.