Skillv1.0.0

ClawScan security

SDD - Scenario-Driven Detection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 12:58 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions require broad access (crawling, interacting with live sites, reading/writing project source, running tests, and committing fixes) but the metadata declares no dependencies, tools, or credentials — this mismatch is concerning and needs clarification before use.
Guidance: Before installing or using this skill, be aware of these points: 1) The skill will try to read and modify your project files, run tests, and make git commits — only use it on repositories you trust and back up or work on a branch/fork. 2) It performs live site crawling and may require login credentials or tokens; provide only ephemeral or least-privilege credentials and avoid sharing long-lived secrets. 3) The metadata does not declare required tools (browser automation like Playwright/Puppeteer, a headless browser, git, node/test runner); confirm your agent environment has the expected tooling or the skill may fail or behave unpredictably. 4) Confirm whether the agent will ask for explicit user approval before applying any code changes or pushing commits — prefer modes that generate fix proposals rather than auto-applying fixes. 5) If you plan to let the agent post reports to Slack/Discord, use dedicated webhooks with limited scope. Providing the author or maintainer details, a clear list of runtime dependencies, and an explicit safety/consent flow (e.g., require interactive confirmation for commits) would reduce risk and could change this assessment to benign.

Review Dimensions

Purpose & Capability: concernThe declared purpose (find and automatically fix 'logical' defects in UIs/APIs) is plausible. However, achieving that requires filesystem access, VCS (git) operations, a browser automation/runtime (e.g., Playwright/Puppeteer or a real browser), and test runners. None of those tools, binaries, or environment/credential requirements are declared in the metadata, which is an incoherence: either the skill assumes the agent environment already has extensive capabilities or the metadata is incomplete.
Instruction Scope: concernSKILL.md instructs the agent to crawl URLs (click elements, capture DOM), analyze and modify source code (file:line changes), run existing tests, commit fixes, and post md reports to external channels (Discord/Slack). It also tells the agent to request login credentials or cookies when needed. These are high-scope actions that access user files, credentials, and external networks — none of which are described in the skill metadata or constrained in the instructions (e.g., no explicit requirement that the user must approve commits before they are made).
Install Mechanism: noteThere is no install spec or code (instruction-only), which reduces supply-chain risk. That said, the runtime behavior described implicitly requires nontrivial tooling (browser automation, test runners, git). The absence of declared dependencies or recommended runtime tools is a gap (not an immediate code-execution risk, but an operational mismatch).
Credentials: concernThe skill requests (in instructions) credentials/cookies for authenticated crawling and suggests posting reports to third-party channels — yet the registry metadata declares no required env vars or primary credential. The implicit need for access tokens, webhook URLs, or repository write permissions is disproportionate to the metadata and should be explicitly declared. The skill also writes files and performs VCS commits, which are sensitive actions relative to an 'analysis' skill.
Persistence & Privilege: concernThe skill will write report files and, in Mode A, modify source code and create commits. While always:false (it is not force-enabled), these actions are powerful: autonomous invocation combined with code-modifying instructions increases blast radius if the agent is allowed to act without user confirmation. The SKILL.md does not mandate explicit user approval before applying commits, only a general note about not breaking tests — this is a privilege/consent gap.