Skillv1.0.0

ClawScan security

Codespace Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 8:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior broadly matches a codespace manager, but there are notable inconsistencies and supply‑chain / exposure risks you should understand before installing.
Guidance: Before installing or running this skill: (1) expect it to build a Docker image and create directories under ~/codespaces, start containers, and expose code-server to the internet via Cloudflare Quick Tunnel; only run on a machine you control or an isolated VM. (2) Review the Dockerfile and the install scripts it calls (bun.sh, astral.sh, opencode.ai); they are fetched and executed at build time (curl | bash) — consider pinning to known release artifacts or adding checksum verification. (3) Change the default password and avoid leaving the default 'codespace' in .default_password (it is stored in plaintext); consider using a secure secret mechanism. (4) Confirm you trust any repositories you allow the skill to clone, since it will mount project dirs into containers. (5) The package metadata omitted required host dependencies (Docker, cloudflared, jq); verify those are present. If the publisher identity, signed release artifacts for installers, or safer install steps (no remote curl|bash) are provided, my confidence would increase and many concerns would be mitigated.

Review Dimensions

Purpose & Capability: concernThe skill claims to manage code-server codespaces (expected to need Docker, cloudflared, jq), but the registry metadata declares no required binaries/env — a mismatch. The script operates on the host (~/codespaces), builds Docker images, clones arbitrary git repos, and exposes services via Cloudflare tunnels; those capabilities align with the stated purpose but require host-level privileges that should have been declared.
Instruction Scope: concernSKILL.md and scripts instruct the agent to build a Docker image, clone arbitrary git repositories into ~/codespaces/<name>/project, persist per-codespace passwords (default 'codespace') on disk, and start cloudflared tunnels that expose code-server to the public trycloudflare domain. These actions are within the advertised functionality but include broad file system changes, network exposure, and storage of plaintext passwords — all of which should be explicitly highlighted to users.
Install Mechanism: concernThere is no platform install spec (instruction-only), but the included Dockerfile downloads and executes remote install scripts via curl | bash from bun.sh, astral.sh, and opencode.ai. Fetching and piping installers from external URLs without signatures is a supply‑chain risk and should be reviewed/locked down before use.
Credentials: noteThe skill does not request cloud provider keys or unrelated credentials (good), but it uses and persists CODESPACE_PASSWORD (default weak value 'codespace') and stores it in $CODESPACE_BASE/.default_password and per-codespace metadata in plaintext. The registry metadata omitted declaring required host tools (Docker, cloudflared, jq) that the script depends on.
Persistence & Privilege: notealways:false (not force-included). The skill creates persistent host state (~/codespaces), builds a Docker image, and launches containers with --restart=unless-stopped — meaning long-lived processes and tunnels. This is expected for a codespace manager but increases blast radius if misused.