Skillv0.1.3

ClawScan security

项目宣传页和长截图一键生成工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 4:18 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (scans a project directory, generates editable HTML and a screenshot), but there are implementation issues — notably an unsanitized shell exec for git clone (command-injection risk) and remote script loading — that make it risky to run on sensitive systems without review or isolation.
Guidance: This skill appears to implement exactly the advertised features, but it has a concrete security flaw you should consider before installing or running it on sensitive hosts: src/git.js uses execSync(`git clone --depth 1 ${gitUrl} ...`) with the gitUrl interpolated directly into a shell command, which can allow command injection if a malicious git URL is provided. Recommendations: - Do not run this skill with access to sensitive files or credentials unless you audit/mitigate the code first. - If you need git clone support, prefer running it only with trusted repository URLs, or modify the code to use a spawn variant with an args array (no shell) or a safe git library. - Run the skill in an isolated environment (container, VM) if you will pass untrusted git URLs or project paths. - Be aware the generated HTML loads html2canvas from jsdelivr; if you edit/open the generated page in a browser, that remote script will run. If your threat model excludes remote scripts, remove/host that dependency locally. - If you are not comfortable reviewing or patching the code, test the skill on non-sensitive sample projects only.

Review Dimensions

Purpose & Capability: okName/description match behavior: the code scans local project directories, parses dependencies/README, renders an editable HTML and can export a long PNG via Playwright. Required capabilities (filesystem access, optional git clone, optional playwright) are coherent with the stated purpose.
Instruction Scope: concernRuntime instructions accept an absolute project path or a git URL and then scan the entire project tree. Scanning local files is necessary for the feature, but the implementation executes shell git clone via child_process.execSync with the user-supplied gitUrl interpolated directly into the command string — this allows command injection if an attacker can control the gitUrl. Also the generated HTML loads html2canvas from jsdelivr (external CDN) which can execute remote JS in the browser/editor context.
Install Mechanism: noteNo platform install spec (instruction-only skill) — lower risk from install scripts. The package.json lists marked and optional playwright; using playwright will require installing it (and its browsers) locally. The public html2canvas loader injects a script from jsdelivr at runtime (remote dependency that could be tampered with); this is expected for screenshot/export functionality but worth noting.
Credentials: okThe skill requests no environment variables or credentials. It only needs filesystem access and (optionally) network access for git/GitHub and to fetch external resources — these are proportionate to its purpose.
Persistence & Privilege: okalways:false and no special persistence or cross-skill config modifications. The skill does not request elevated platform privileges in its metadata.