ClawHub

coder

PendingStatic analysis audit pending.

Overview

No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI05: Unexpected Code Execution
What this means

Installing the skill allows the agent to run this included script, but the script does not access files, credentials, network services, or modify the system.

Why it was flagged

The skill requests permission to execute a local script and documents invoking that script, but the reviewed script only emits fixed brand, feature, or JSON text.

Skill content
permissions:
      - exec
...
```bash
scripts/coder-info.sh
```
Recommendation

Acceptable for this purpose; users should still recognize that the skill uses local script execution.

Note
ASI09: Human-Agent Trust Exploitation
What this means

A user may expect functional coding tools, but the artifacts show only informational output.

Why it was flagged

The description advertises developer-productivity capabilities, while the actual documented behavior is namespace reservation and informational output.

Skill content
Provides code scaffolding, snippet management, refactoring helpers, and project template generation.
...
This skill reserves the `coder` namespace on ClawHub and provides brand identity and feature information when invoked.
Recommendation

Treat this as a brand/info skill unless future versions add the advertised coding functionality.