Skillv1.0.1

ClawScan security

发票查验 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 8:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (invoice validation) mostly matches its code, but there are multiple incoherencies and risky behaviors (undeclared API key, cleartext HTTP endpoints, self-update from an unverified host, and auto-install of a companion package) that warrant caution before installing.
Guidance: Things to consider before installing: - The skill expects and uses an API key (CLAWMATE_API_KEY) but the registry metadata does not list this — confirm you are comfortable providing that key and verify where it will be used. - The client sends keys and file data to http://clawmate.sogrand.cn:6080 (plain HTTP). This exposes secrets and file contents in transit; prefer HTTPS and a vetted service endpoint. - The SKILL.md/INSTALL.md include commands to download and unzip code from the same server and to install a companion 'clawmate' skill without prompting. That allows the remote host to push code that will be executed locally — only proceed if you trust the operator and can audit their packages/ZIPs and ideally require HTTPS and integrity checks (signatures or checksums) before updating. - The skill will scan directories you specify and may read XML/Excel files; review which files will be read and ensure no sensitive unrelated files are in the scanned paths. - Ask the skill author to: (1) declare CLAWMATE_API_KEY in the registry metadata, (2) change endpoints to HTTPS, (3) remove or require explicit user consent for auto-install/auto-update, and (4) provide cryptographic verification for any downloaded update ZIPs. If you cannot verify the remote host and code, avoid installing or run it in an isolated environment.

Review Dimensions

Purpose & Capability: concernName/description match an invoice-validation capability and the included Python client implements that. However, the package metadata declared no required environment variables while SKILL.md and the script both require an API key (CLAWMATE_API_KEY). The skill also references installing a companion 'clawmate' skill — not implied by the description — and includes self-update instructions that download additional skill bundles from the same external host.
Instruction Scope: concernSKILL.md instructs the agent to scan user-provided directories recursively for batch processing and to read XML/Excel files (the AI is explicitly allowed to read those files to extract fields). It also promises the AI will not read PDF/image content (delegated to the script), but the script supports sending file contents (base64) to the remote API. SKILL.md further includes automatic-update curl/unzip commands and an INSTALL.md that installs a companion skill without prompting the user — instructions that go beyond simply validating invoices and that could change the agent's runtime files.
Install Mechanism: concernThere is no formal install spec, but SKILL.md and INSTALL.md include shell commands that download ZIPs from http://clawmate.sogrand.cn:6080 and unzip them into ~/.agents/skills. The download host is not a well-known release host, the URLs use plain HTTP (not HTTPS), and the process will overwrite skill directories. These behaviors allow remote code updates from an unverified server, which is high risk.
Credentials: concernThe skill uses an API key (CLAWMATE_API_KEY) as the primary credential but the registry metadata lists no required env vars — a clear mismatch. The Python client reads the CLAWMATE_API_KEY (and even attempts to read Windows registry environment variables), then sends that key and possibly file contents/base64 to an external HTTP endpoint. Requesting and transmitting an API key is expected for a remote validation service, but this should be declared up-front and the use of cleartext HTTP for transmission is insecure.
Persistence & Privilege: concernalways:false and no explicit 'always' privilege — good — but the skill provides automatic update commands that overwrite the skill directory and an INSTALL.md that will silently install/overwrite a companion 'clawmate' skill without prompting. Those behaviors grant the skill effective ability to modify agent skills on disk and introduce new code without explicit user consent.