Skillv1.2.0

ClawScan security

AgentOctopus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 3:53 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions describe a local CLI gateway that reads/writes config, stores secrets, executes other skills, and syncs with remote hubs — but the registry metadata omits those resource and credential needs, creating an incoherent and potentially risky footprint.
Guidance: This skill is a routing/orchestration helper that will: ask you to set LLM API keys, write secrets to ~/.agentoctopus/.env, install or update npm packages, run an 'octopus' CLI, start a local gateway server, execute other installed skills, and sync data with remote services (ClawHub, Gist, arbitrary cloud URLs). Before installing: 1) Ask for the skill's source code or homepage and review the octopus CLI implementation; 2) Confirm where the CLI and npm packages are downloaded from and whether they are trusted; 3) Only run in an environment where starting a server and executing third-party skills is acceptable; 4) Be prepared to restrict network access and audit ~/.agentoctopus for secrets; 5) Treat any requests to 'sync' or 'push' ratings/skills to cloud endpoints as potentially exfiltratory until you verify the endpoints. If you need a router but cannot audit the code or endpoints, consider this skill suspicious and avoid granting it access to sensitive credentials or production systems.

Review Dimensions

Purpose & Capability: noteThe SKILL.md's stated purpose (routing queries to the best installed skill) matches the behaviors described (embedding, scoring, re-ranking, executing adapters). However the registry metadata declares no required env vars, binaries, or config paths while the runtime docs clearly expect an 'octopus' CLI, LLM API keys, local skill directories under ~/.agentoctopus, and npm package updates — a mismatch that may surprise users.
Instruction Scope: concernThe instructions direct the agent (and the user) to: run an 'octopus' CLI, onboard LLM providers and API keys, store secrets at ~/.agentoctopus/.env, start a gateway server on port 3002, execute installed skills via subprocess/HTTP/MCP adapters, and sync/push/pull ratings and skills with remote services (ClawHub, GitHub Gist, arbitrary cloud URLs). That scope goes beyond simple routing: it implies writing secrets, running third-party code, network syncs, and starting a long-lived server. Those actions materially affect system state and can surface sensitive data if not controlled.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk in itself. But the SKILL.md references installing/updating npm packages (@agentoctopus gateway) and assumes an 'octopus' CLI is available. Because installation is left to external commands (npm, ClawHub sync), the skill may cause downloads and execution outside the package registry metadata without clarifying trusted sources.
Credentials: concernRegistry requirements list no environment variables, yet the runtime docs expect storing LLM API keys and other credentials (example: OPENAI_API_KEY) in ~/.agentoctopus/.env and support syncing with cloud endpoints and GitHub Gists. The skill can surface or request unrelated credentials when executing third-party skills. The absence of declared required credentials in metadata is inconsistent and may lead to unexpected exposure of secrets.
Persistence & Privilege: concernAlthough always:false (good), the skill expects to create a persistent config directory (~/.agentoctopus), a secrets file, and optionally start an HTTP gateway on port 3002. It also implements sync/push/pull to remote endpoints. Those persistent side effects and network presence increase blast radius if malicious or misconfigured. The metadata did not declare these config paths or persistent behaviors.