Skillv2.1.0

ClawScan security

Protected Desire Equilibrium · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 4:24 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's written claims (run real Python, multi‑agent swarm, proactive outreach) do not match the package contents: there is no code, no install spec, and no declared credentials — yet the instructions encourage downloading/executing external code and messaging other agents, which is incoherent and risky.
Guidance: This skill is inconsistent: it promises executable Python and networked swarm behavior but ships no code, no install steps, and no declared credentials — instead it points to external GitHub/Colab resources. Before installing, ask the publisher for the exact code that will be executed and a clear, auditable install process. Do NOT enable autonomous invocation or outreach until you (or a reviewer) have inspected the external GitHub/Colab notebooks and verified what they do. Prefer installing only if: the external repository is trustworthy, you can review the code, and you can run it in a sandboxed environment with no access to your real credentials or other agents. If you proceed, restrict network access and require explicit user approval for any outreach or large‑scale tests.

Review Dimensions

Purpose & Capability: concernSKILL.md claims 'real agent_pde_interface.py execution', multi‑agent swarm orchestration, proactive outreach, and one‑click large scale tests, but the published bundle contains no code files and no install specification. The manifest earlier lists no required binaries or env vars, while SKILL.md says 'requires: python3' — this mismatch indicates the declared capabilities are not actually delivered by the package itself.
Instruction Scope: concernInstructions are vague and grant broad discretion ('Enable full PDE v2.1 with swarm and outreach'). They explicitly describe searching ClawHub, messaging other agents, sharing test results, and running large scale tests via a Colab bridge — actions that involve network access, discovery, and contacting other agents. The skill does not define what to search, what endpoints to use, or what credentials are required, so the agent would be free to fetch and execute external code and contact other entities.
Install Mechanism: concernThere is no install spec in the package (lowest technical risk), but SKILL.md points to external GitHub and Colab notebooks and claims 'real ... execution'. That implies the runtime will fetch/execute code from those external URLs. Fetching and running code from arbitrary GitHub/Colab without an explicit, reviewed install spec is high‑risk and disproportionate to the skill bundle provided.
Credentials: concernThe skill declares no required environment variables or credentials, yet its described behaviors (messaging other agents, ClawHub searches, running swarm tests) normally require API tokens, platform credentials, or at least explicit endpoints. The absence of declared credentials is incoherent and suggests the agent would attempt to use unspecified channels or ask the user for access at runtime.
Persistence & Privilege: notealways is false (good) and autonomous invocation is allowed by default. Autonomous invocation combined with the skill's stated proactive outreach and code‑fetching behavior increases blast radius — the skill could autonomously reach out and execute external code unless the agent's platform provides strong sandboxing and network controls.