Skillv1.0.0

ClawScan security

cesto-toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 27, 2026, 8:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its claimed Cesto functionality, but a prompt-injection pattern was detected in SKILL.md and the skill writes/encodes authentication tokens to disk with only weak obfuscation — review before installing.
Guidance: This skill appears to implement the advertised Cesto API functionality and contains the expected login and API helper scripts, but exercise caution before installing: 1) The SKILL.md contained a prompt-injection pattern — inspect the raw SKILL.md for hidden instructions or suspicious text. 2) The skill stores authentication tokens under ~/.cesto using a weak obfuscation (XOR/base85 derived from username@hostname) — consider whether you're comfortable with tokens on disk and with the potential for local recovery. 3) api_request restricts network calls to backend.cesto.co, which is good, but confirm the backend URLs are correct and that you trust the skill's owner (owner ID is unknown). 4) If you proceed, run the skill in a sandboxed environment or on a machine/account where storing these tokens is acceptable, and consider auditing the code yourself or asking the publisher for provenance (signed release, homepage, or official source). If you need higher assurance, request a version of the skill from a verified source or with stronger local encryption for session tokens.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md content. This is not expected for a documented runtime flow and could indicate an attempt to influence model behavior or the evaluation. Review the SKILL.md source for any hidden or malicious instructions before trusting the skill.

Review Dimensions

Purpose & Capability: okName/description describe interacting with the Cesto platform and the bundled scripts call only backend.cesto.co endpoints, implement browsing, detail, analysis, simulation, and a login/publish flow. No unrelated cloud credentials, binaries, or external services are requested — capability and requirements are consistent.
Instruction Scope: noteSKILL.md instructs the agent to run bundled scripts (fetch_baskets, fetch_basket_detail, analyze_investment, and login flows). The login flow opens the user's browser and the scripts save session tokens locally; the SKILL.md claims the agent won't see tokens (scripts avoid printing tokens). This behavior is within scope, but the skill also registers many trigger phrases (broad automatic invocation) and a prompt-injection pattern was flagged in SKILL.md — both warrant caution.
Install Mechanism: okInstruction-only install (no external installer). All code is bundled in the skill; there are no downloads from untrusted URLs or package installs. No files are created outside the skill's own directory except the session files under the user's home (~/.cesto) which are part of its intended function.
Credentials: noteThe skill declares no required environment variables or external credentials, which matches its use of the platform backend. However, it stores authentication tokens under ~/.cesto (auth.json and session.dat). The session store uses a simple XOR + base85 obfuscation derived from username@hostname — not cryptographically strong encryption — so anyone with filesystem access could recover tokens. api_request enforces an allowlist to backend.cesto.co, which limits accidental exfiltration to other domains.
Persistence & Privilege: notealways:false (not force-included). The skill writes and updates files in ~/.cesto (session data and auth.json) and performs token refreshes. This is reasonable for a CLI-style login/session flow but does give the skill persistent local state and the ability to refresh/use stored credentials; users should accept writing credentials to their home directory before installing.