Skillv3.1.0

ClawScan security

🦒 Giraffe Guard — 长颈鹿卫士 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 14, 2026, 4:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a legitimate directory scanner (audit.sh + AST analyzer) but contains internal inconsistencies (rule counts and undeclared runtime dependencies) and a network-enabled pre-install mode; review these mismatches and run in a sandbox before trusting it.
Guidance: This package is largely coherent with its claimed purpose (a local scanner), but there are a few things to check before installing or running it: - Clarify the mismatches: SKILL.md mentions 22 rules while README and scripts indicate 55+ rules; confirm which rules will actually run. - Ensure required system tools are available: the scripts assume standard Unix tools; python3 is optional but needed for deeper AST checks; git is used by --pre-install. The registry metadata did not list these binaries — don't rely solely on the metadata. - Be cautious with --pre-install: it clones remote git URLs (network activity). When scanning untrusted repos, run the tool in an isolated environment (sandbox, container, or CI worker) to avoid any accidental execution of untrusted code. - Review the included scripts yourself (audit.sh and ast_analyzer.py are provided) or run them on test data first. They are intended to scan for secrets and dangerous constructs but will read all files in the target directory — do not point it at sensitive home directories. - If you need high assurance, request the publisher/source (homepage is missing) or prefer a scanner from a known repository; otherwise run in a disposable environment and inspect outputs carefully. Confidence is medium because inconsistencies look like sloppy packaging rather than malicious intent, but the lack of declared runtime dependencies and the network-enabled pre-install mode increase risk until clarified.

Review Dimensions

Purpose & Capability: noteThe skill's code (scripts/audit.sh and scripts/ast_analyzer.py) implements a supply-chain scanner consistent with the declared purpose. However, metadata lists 'no required binaries' while the textual docs and scripts expect common system tools (bash, grep, sed, find, awk, file, readlink, perl), optionally python3 for AST analysis, and git when using --pre-install. Also the SKILL.md claims 22 detection rules but README/scripts advertise many more (55+ rules / 38 grep + 17 AST). These mismatches are likely sloppy packaging/documentation but should be clarified before installation.
Instruction Scope: okSKILL.md instructs the agent to run scripts/audit.sh against a target directory (or with --pre-install clone a repo). The runtime instructions are scoped to scanning files and producing reports. The script may read all files under the target directory (expected for a scanner). It does not appear to instruct modification of system-wide configs or to harvest agent secrets. Note: --pre-install triggers a git clone of a remote repo (network I/O).
Install Mechanism: okThere is no install spec (instruction-only with included scripts). No remote downloads or archive extraction are defined by the registry metadata. The code is present in the skill bundle and executed as local scripts, which is lower risk than an installer that fetches arbitrary code at install time.
Credentials: okThe skill declares no required environment variables or credentials (primary credential none), and the scripts do not request secrets. The scanner is designed to detect hardcoded keys in target code but does not require access to any external credentials. This is proportionate to its stated function.
Persistence & Privilege: okThe skill is not always:true and does not request permanent platform privileges. It does not appear to modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not combined with other privileged behaviors here.