Back to skill
Skillv1.5.0
ClawScan security
Roster · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 3:43 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, env vars, and instructions align with its stated purpose (creating rosters and pushing to GitHub), but the runtime instructions include unusual formatting mandates and a detected prompt-injection pattern — review before use and restrict the GitHub token scope and repo.
- Guidance
- What to check before installing or enabling: 1) Limit the GitHub token: create a fine‑grained PAT scoped only to the single repo (contents: read/write, actions: write) and short lifetime; do NOT supply a broad classic repo token. 2) Test in a throwaway private repo with dummy employees to confirm behaviour and that GitHub Actions do only the expected PDF/email steps. 3) Manually inspect the repository workflows (.github/workflows/*.yml) — dispatched workflows run in repo context and can access repo secrets. 4) Review SKILL.md (and remove any hidden unicode control characters) — the file enforces mandatory emoji formatting and contains a detected unicode-control-chars pattern which is unusual; ensure there are no hidden instructions that could alter agent behaviour. 5) Be aware the skill will collect/store personal data (names, emails, minor status); keep ROSTER_REPO private and comply with data-protection rules. 6) If you want to prevent automatic writes/dispatches, do not enable autonomous invocation or run the skill only with user confirmation before any push/dispatch. If anything looks unexpected, prefer 'do not install' or test in an isolated environment first.
- Findings
[unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. This is not required for scheduling functionality and can be used to try to influence prompt parsing/behaviour. The SKILL.md also contains rigid emoji/formatting mandates — together these warrant manual review of the file for hidden control chars or injected sequences before trusting outputs.
Review Dimensions
- Purpose & Capability
- okName/description match required assets: scripts perform GitHub reads/writes, JSON push, and workflow dispatch. Declared binaries (curl, python3, base64) are used by the scripts and the requested env vars (GITHUB_TOKEN, ROSTER_REPO) are exactly what the GitHub integration needs.
- Instruction Scope
- noteSKILL.md prescribes a full workflow: load employees.json, parse CSVs, create JSON, push to GitHub, and trigger workflows. It also mandates strict Telegram formatting (many required emojis, forbidden formats) and tells the agent to 'memorize' employee data and request emails for new employees. These formatting rules are unusual and there is a pre-scan flag for unicode-control-chars in SKILL.md (possible prompt-injection artifact). The data-collection behaviour (asking for new employee emails) is expected for the feature but is PII-sensitive and should be used only with consent and in a private repo.
- Install Mechanism
- okThere is no network download/install step; this is instruction + script-based and ships with the scripts. No external archives or unusual installers are fetched at runtime by the skill itself. Risk from install mechanism is low.
- Credentials
- okOnly GITHUB_TOKEN and ROSTER_REPO are required. Those are proportionate: scripts read/write employees.json and dispatch GitHub Actions. The README explicitly recommends a fine-grained PAT and minimal permissions (Contents read/write, Actions write), which is appropriate.
- Persistence & Privilege
- notealways:false (not forced into all agents). The skill can autonomously run (default) and — with the provided token — can push JSON files, update employees.json, and dispatch GitHub Actions. This is expected for the feature but gives the skill meaningful write-and-trigger capability in the target repo; review workflows and token scope before enabling autonomous runs.