Skillv0.2.0

ClawScan security

clawpacker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 18, 2026, 11:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose (agent packaging) but instructs the agent to fetch and blindly follow a remote SKILL.md from raw.githubusercontent.com, which creates a supply‑chain / execution-risk that should be validated before use.
Guidance: This skill itself is light and matches its description, but it tells the agent to fetch and then 'follow' a remote SKILL.md from raw.githubusercontent.com — that remote document could change and instruct the agent to run arbitrary commands. Before installing or using this skill: (1) verify the canonical URL and publisher provenance; prefer a pinned commit SHA or release URL rather than a branch (master/main); (2) require the agent to fetch the document only for manual review (do not allow automatic execution of fetched instructions); (3) inspect any fetched SKILL.md before running commands, or keep a vetted local copy; (4) consider running packaging operations in a sandbox or dry-run mode; and (5) if you need higher assurance, ask the publisher for signed releases or a reproducible release artifact rather than relying on live raw URLs.

Purpose & Capability: okName and description match the instructions: this is an instruction-only skill for packaging/moving agents and it points to a canonical 'clawpack' documentation source. It does not request unrelated binaries, env vars, or config paths.
Instruction Scope: concernThe runtime instructions tell the agent to fetch a canonical SKILL.md from raw.githubusercontent.com and to 'follow that canonical document for all command details.' That grants broad authority to execute whatever commands the remote document specifies, creating a supply-chain risk. The fallback behavior (stop if fetch fails) is safe, but there is no explicit instruction to validate or sandbox the fetched content before executing it.
Install Mechanism: okNo install spec and no code files (instruction-only) — nothing is written to disk by the skill itself. The only network action required is fetching the canonical SKILL.md at runtime, which is higher risk than a pure offline document but is described explicitly.
Credentials: okThe skill declares no required environment variables, credentials, or config paths; there are no disproportionate credential requests.
Persistence & Privilege: okDefault privileges (always:false, model invocation allowed) — no unusual persistence or forced inclusion. The skill does not request to modify other skills or system-wide settings.