Skillv0.1.0

ClawScan security

Chaos Engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 2:15 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (chaos engineering) matches the destructive operations shown in the files, but the SKILL.md and metadata do not declare or limit the many credentials, elevated privileges, and system modifications the instructions require — this mismatch is concerning and deserves caution before installation or use.
Guidance: This skill legitimately contains destructive chaos-engineering operations, but it omits any declaration of the credentials and privileges those operations require. Before using/installing: 1) Treat it as high-risk — run only in isolated/non-production environments (staging/labs). 2) Expect to need AWS keys, kubeconfig/EKS access, database connection strings, Gremlin/toxiproxy API keys, Slack webhook secrets, and sudo/root on hosts; do NOT supply production credentials. 3) Review and approve every command/manifest the skill will run (especially any aws ec2/terminate, kubectl apply, apt-get, /etc/hosts edits). 4) Ensure automated rollback, kill switches, monitoring, and manual approval gates are in place. 5) Prefer a version that explicitly lists required env vars, required config paths, and a safer 'dry-run' or simulated mode. If the author provides an updated metadata manifest that declares required credentials and clearly documents scopes and safeguards, re-evaluate — that would reduce the current incoherence.

Review Dimensions

Purpose & Capability: concernThe name/description (chaos engineering) aligns with the actions in the references (terminating instances, node drains, Litmus/Chaos Mesh manifests, network/DNS tampering, stress tests). However the skill declares no required env vars/configs while the content expects access to AWS, Kubernetes, local system (sudo,/etc/hosts), Gremlin/toxiproxy, Prometheus, database connections, Slack webhooks, etc. Legitimate for the purpose, but the absence of declared required credentials/config paths is an incoherence.
Instruction Scope: concernThe SKILL.md references and embedded examples instruct running destructive or privileged commands: aws cli terminate-instances, boto3 ec2/asg calls, kubectl apply/wait, editing /etc/hosts with sudo, apt-get install stress-ng, pumba/pod kills, modifying load balancers/target groups, and executing simulated connection leaks against DATABASE_URL. It also queries Prometheus and posts to Slack. These instructions read, mutate, or depend on system state and secrets that are not declared or scoped in the skill metadata.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces installer risk (nothing automatically downloaded at install time). However the content contains commands that will install packages or fetch remote manifests at runtime (apt-get, kubectl apply from remote URLs, downloading Litmus YAML). That means runtime actions can modify the host environment even though no installer is declared.
Credentials: concernThe skill metadata declares no required environment variables or credentials, but the referenced scripts/workflows clearly require: AWS credentials (AWS_ACCESS_KEY_ID/SECRET), kubeconfig or EKS access, Gremlin API key/team id, toxiproxy endpoints, DATABASE_URL (Postgres), Prometheus endpoint, Slack webhook secret, and sudo/root privileges for /etc/hosts edits and package installs. The number and sensitivity of these secrets is large and not represented in the metadata.
Persistence & Privilege: noteThe skill is not marked always:true and is user-invocable (normal). It does not request persistent platform-level privileges in metadata, but the instructions explicitly perform privileged actions at runtime (sudo, system package installs, editing /etc/hosts, terminating cloud instances). Those runtime privileges are significant even though the skill does not request persistent presence.