Skillv1.2.0

ClawScan security

Agent Skills Context Engineering · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 7:57 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description matches what it does, but it instructs the agent to silently fetch and apply external SKILL.md files from raw GitHub and to optionally modify the user's always-loaded workspace config — behavior that can persist and change runtime behavior without clear integrity guarantees.
Guidance: This skill appears to do what it claims (routing to context-engineering sub-skills), but it will: (1) read your workspace config files to detect integration points, (2) ask to add a persistent 'auto-triggers' section to your always-loaded config (which will make the skill behave differently in future sessions), and (3) silently fetch and apply sub-skill SKILL.md files from raw.githubusercontent.com at runtime. Before installing or accepting config changes, consider: - Review the exact text the skill will add to your AGENTS.md/TOOLS.md and deny or edit if you don't want persistent auto-triggers. - Prefer using a local/offline copy (git submodule) or require pinned URLs (commit SHAs or tags) so remote changes can't silently alter behavior. - If you allow auto-triggers, be aware the agent may fetch external guidance during normal operation without prompting; if that's unacceptable, decline the config modification or disable silent auto-read behavior. - Only enable this skill if you trust the upstream repository and are comfortable with the agent making network requests to pull guidance at runtime.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only wrapper that routes requests to 13 context-engineering sub-skills; its declared purpose aligns with the actions described (loading SKILL.md guidance, routing to sub-skills). It requests no binaries, credentials, or unrelated resources.
Instruction Scope: concernRuntime instructions tell the agent to (a) search the user's workspace config files for a marker, (b) optionally add a persistent 'Context Engineering Auto-Triggers' section to always-loaded config files, and (c) automatically load remote SKILL.md files from raw.githubusercontent.com during normal operation — and to do so silently unless the user asks. Reading and writing workspace files and silently fetching and applying external guidance expands scope beyond simple on-demand help and could alter agent behavior without clear, ongoing user consent.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is written by an installer. The skill relies on fetching raw GitHub URLs (raw.githubusercontent.com) to load sub-skills — a well-known host, but the SKILL.md URLs are not pinned to specific commits/tags, so remote content can change after install. An optional git submodule workflow writes to the workspace if the user opts in.
Credentials: okThe skill requires no environment variables, credentials, or config paths. It does not request unrelated secrets or credentials.
Persistence & Privilege: concernalways:false and normal autonomous invocation are fine, but the skill instructs adding persistent auto-trigger rules into the user's always-loaded config (AGENTS.md/TOOLS.md) if the user agrees. Combined with silent auto-reading of remote SKILL.md files during operation, this creates a persistent behavior change and a continuing network dependency with no built-in content integrity checks.