ClawHub

origin

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears safe to install because its scripts only print provenance/audit status, but its lineage and compliance functionality is mostly placeholder and should not be relied on as a real audit system.

This looks low-risk, but treat it as an informational placeholder rather than a real data-lineage or compliance-audit tool. Re-review before using any future version that actually reads datasets, writes audit logs, connects to backends, or handles credentials.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

The skill can run a local script if invoked, but the reviewed script does not perform destructive actions, read files, send network traffic, or use credentials.

Why it was flagged

The skill declares permission to execute a bundled local script. This is disclosed and expected for the documented workflow, and the included script is limited to printing status text.

Skill content
"permissions": ["exec"],
  "scripts": ["scripts/trace-lineage.sh"]
Recommendation

Review the script before running it and treat any future version with expanded tracing or audit behavior as requiring a fresh review.

NoteHigh Confidence
ASI09: Human-Agent Trust Exploitation
What this means

A user could overestimate the current audit/compliance value of the skill if they assume these commands perform real provenance verification.

Why it was flagged

The trace and audit functions only print messages; they do not implement actual lineage collection, transformation logging, or anchor auditing despite the broader provenance/audit description.

Skill content
trace() {
    echo "[TRACE] Data lineage tracing initiated..."
    echo "[TRACE] Resolving source → transformation → destination chain"
    echo "[TRACE] Origin checkpoint: $(date -Iseconds 2>/dev/null || date '+%Y-%m-%dT%H:%M:%S')"
}

audit() {
    echo "[AUDIT] Audit trail requested..."
    echo "[AUDIT] Scanning registered provenance anchors"
}
Recommendation

Use this version only as a placeholder or namespace reservation, not as a compliance control, unless real provenance backends and audit logs are added and reviewed.