Skillv1.0.0

ClawScan security

pua-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 16, 2026, 5:58 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with its stated purpose (force exhaustive debugging), but the runtime guidance encourages broad file access, running commands, and producing full-source evidence without explicit limits — this can lead to sensitive-data exposure or overly aggressive agent actions.
Guidance: This skill is coherent with a debugging/aggressive-troubleshooting purpose, but it explicitly encourages the agent to read source files, run commands, and include full-source evidence in reports. Before installing or enabling it: (1) avoid using it on private or sensitive repos, (2) require the agent to ask for explicit permission before reading files or running system commands, (3) restrict implicit invocation or disable automatic execution in production agents, (4) review the agents/openai.yaml and any policy settings (allow_implicit_invocation) and change them if you want manual control, and (5) monitor logs and outputs for accidental inclusion of secrets. If you want the behavior but with safer boundaries, ask for explicit limits in the SKILL.md (allowed paths, file types, redaction rules, and an explicit confirmation step before any destructive or wide-ranging action).

Purpose & Capability: okName/description (push the agent to be exhaustive and evidence-driven) match the SKILL.md: the document prescribes systematic debugging, searching, reading source, running commands, and producing proof. There are no unrelated env or binary requirements.
Instruction Scope: concernSKILL.md instructs the agent to '先做后问' (search, read files, run commands) and to include 'Full source of all included files' in failure reports. That encourages broad repository and system access and generation of full-source outputs, which can expose secrets or private data. The instructions do not impose bounds on which files/paths are allowed or require user consent before performing intrusive actions.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code; nothing is written to disk by the skill itself. Lowest install risk.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However, its runtime guidance expects the agent to access files and run commands even though no explicit config paths or permissions are declared.
Persistence & Privilege: concernSkill metadata shows normal invocation settings (always:false). The included agents/openai.yaml sets policy.allow_implicit_invocation: true, and the SKILL.md promotes acting before asking — combined this increases the chance the agent will act autonomously (read files, run commands) without explicit user confirmation.