Back to skill
Skillv1.0.0
ClawScan security
workflow-migrate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 3, 2026, 7:51 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (migrating automations to scripts) is plausible, but the runtime instructions reference environment secrets, file I/O, and tooling scope that are not declared in the metadata, creating mismatches you should understand before installing.
- Guidance
- This skill appears to do what it says (generate production-style scripts) but has some inconsistencies you should address before installing: 1) The SKILL.md templates expect API keys and a .env file, but the skill metadata doesn't declare any required credentials — confirm with the author which secrets you'll need and how they should be provided. 2) The allowed-tools include filesystem and shell access; avoid granting the agent access to workspace files that contain unrelated secrets (home dir, CI/CD credentials, SSH keys, etc.). 3) Inspect any generated scripts for hardcoded endpoints, excessive logging of sensitive payloads, and proper error handling before running them in production. 4) Run generated code in a sandbox or isolated environment, and rotate any secrets used for initial testing. If you need higher assurance, ask the publisher for an explicit list of required env vars and a minimal reproduction that shows exactly which files will be read/written.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and description match the SKILL.md: it parses workflow descriptions and outputs runnable Python/Node scripts. However, the templates it generates assume use of environment variables (API_KEY, WEBHOOK_URL, etc.), .env files, and filesystem logging — none of which are declared in the skill metadata. That mismatch is noteworthy but may be an omission rather than malicious intent.
- Instruction Scope
- noteSKILL.md instructs the agent to parse user-provided workflow JSON/pastes, ask clarifying questions, and then generate, write, and edit full scripts (including config loading and log file creation). The declared allowed-tools (Read, Write, Edit, Bash, Glob, Grep, WebSearch) give the agent filesystem and shell capability; the instructions don't explicitly tell the agent to read arbitrary host files, but generated templates call load_dotenv() / require('dotenv') which will read a .env file if present. That combination gives the agent potential to read environment files in the workspace—this is within scope for code-generation but increases the risk of accidental exposure of unrelated secrets if the agent is granted broad file access.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. No downloads, package installs, or external installers are specified in the metadata.
- Credentials
- concernThe skill metadata declares no required environment variables or credentials, yet the code templates expect secrets via environment variables (.env) such as API_KEY and WEBHOOK_URL. Requiring user API keys to reach third‑party APIs is reasonable, but the omission in metadata is a mismatch: the skill does not explicitly request those secrets up front, and the allowed-tools set could let the agent access .env or other local credential files. This creates an unclear credential surface and potential for accidental exposure or misuse of unrelated secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable (normal). The skill writes generated scripts and log files per its instructions, which is expected behavior for a code-generation/migration tool; there is no indication it tries to modify other skills or system-wide agent settings.