Skillv2.0.4

ClawScan security

Skill Dashboard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 5:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (a local dashboard for managing skills) is plausible, but there are several incoherences and risky behaviors (metadata mismatch, unsanitized shell execs, odd file-path assumptions) that warrant caution before installing.
Guidance: This skill is plausibly what it says (a local dashboard) but there are red flags you should consider before installing: - Metadata mismatch: SKILL.md says it requires 'jq' but the package metadata and code do not—ask the maintainer to clarify and provide an updated package manifest. - Command execution risk: the code uses shell exec (clawhub inspect/update/uninstall, open) with parameters that can come from parsed text or user input. If an attacker can cause a crafted skill name to be processed, it could lead to shell injection. Ask the developer to sanitize inputs or use execFile/spawn with argument arrays. - File/path assumptions: dev-dashboard reads a sibling skill-state file via a relative path; confirm install layout so it doesn't accidentally read unrelated files. - Operational impact: the skill will call clawhub update/uninstall, which can modify or remove other skills. Confirm you trust the skill and the clawhub CLI on your system. Recommended actions before installing: 1. Review the source (the included JS files) yourself or ask the author to explain the jq metadata and the relative path usage. 2. Verify clawhub CLI is legitimate and required; consider running the code in a sandbox or review/modify it to use safer child_process APIs (pass arguments as arrays, validate slugs against a strict pattern). 3. If you plan to use it, ensure backups for your skills, and only allow confirmed update/uninstall actions. If the maintainer can address input sanitization and fix the manifest inconsistencies, this would lower my concern.

Review Dimensions

Purpose & Capability: noteThe name/description (manage installed skills via a dashboard) matches the code: it lists installed skills and calls clawhub to inspect/update/uninstall. However SKILL.md metadata lists a required binary 'jq' while the registry metadata says no binaries required and none of the JS code calls jq. Also the package is described as 'instruction-only' while the registry contains multiple code files—these inconsistencies suggest sloppy packaging or outdated metadata.
Instruction Scope: concernThe runtime code uses child_process.exec to run clawhub list/inspect/update/uninstall and to open the browser. Some exec calls use values derived from user input or loosely-parsed strings (e.g., update/uninstall paths), and there is no obvious sanitization of those inputs before interpolation into shell commands — a potential command-injection vector. The dev-dashboard reads another package's state file via a relative path (path.join(__dirname, '..', 'skill-dashboard', 'skill-state.json')), which may access unexpected files depending on install layout. The SKILL.md promises local-only caching and two-step confirmations, which the code mostly implements, but the exec usage and path assumptions broaden the skill's effective scope.
Install Mechanism: noteThere is no install spec (lowest install risk), but code files are included so runtime will execute locally. The lack of an install script is not dangerous per se, but combined with executable child_process calls it means the skill relies on the environment (clawhub CLI present) and will execute shell commands at runtime.
Credentials: okThe skill does not request environment variables, secrets, or external credentials. Its filesystem access is limited to local cache/state files within the skill directory (skill-state.json, dev-cache.json). That is proportionate to the stated purpose. However, the skill will run clawhub CLI commands which can alter installed skills (update/uninstall) and so needs the clawhub CLI and appropriate OS permissions.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges. It writes its own cache/state files but does not attempt to modify other skills' configuration files directly (aside from invoking clawhub CLI which can change installed skills). The combination of autonomous exec of clawhub commands and lack of input sanitization increases blast radius, but persistence flags are normal.