Skillv0.2.2

ClawScan security

local-coding-orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 5:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and instructions broadly match a local orchestration purpose, but the runtime instructions reference missing scripts and ask the agent to read/write repositories and launch local CLIs/ background processes — an incoherence that deserves caution before installing or running.
Guidance: This skill appears to be an orchestration scaffold for local coding tools and will instruct the agent to read/write repos and to launch local CLIs and background processes. Before using it: 1) verify you trust the skill author and the host machine; 2) check whether the referenced PowerShell scripts (assets/scripts/*.ps1) actually exist — they are referenced heavily but are not included in the provided files; 3) back up any target repositories and run the skill in a sandbox or test repo first; 4) confirm which local CLIs (codex, claude, opencode) you actually have and whether you want the orchestrator to be allowed to write into those repos; and 5) ask the publisher for the missing scripts or a clear installation/usage package — the current package is incomplete and could lead to unexpected agent behavior if followed verbatim.

Review Dimensions

Purpose & Capability: noteThe name/description align with the files: this is a local supervisor/orchestrator for local coding CLIs (codex, claude, opencode). However many runtime commands and examples reference assets/scripts/*.ps1 wrappers and process/session handling that are not present in the package. That mismatch (instructions expecting scripts that aren't included) is an incoherence — either the skill is an instruction-only scaffold that expects external scripts, or required runtime components are missing.
Instruction Scope: concernSKILL.md and the docs instruct the agent to create task directories, persist JSON task records, read repo paths, run local CLIs, launch background processes, poll PIDs and session ids, and run PowerShell scripts (e.g., assets/scripts/supervise-task.ps1). Those are legitimate for a local orchestrator but are broad privileges (filesystem and process control). The bigger concern: the instructions call out specific scripts that are not bundled, so following them could lead the agent to run arbitrary commands or fail in unexpected ways. The instructions also leave broad discretion to write to user repos (supervisor may edit metadata or, by exception, product code), so you should only use this on trusted machines and after validating the intended scripts.
Install Mechanism: okThere is no install spec (instruction-only). That reduces risk because nothing is downloaded or written by an installer. However functionality depends on local CLIs and on scripts referenced in the docs (which are missing), so the package as provided is incomplete for automated use.
Credentials: noteThe skill declares no required env vars or binaries. That is consistent with being an orchestration scaffold that uses whatever local CLIs are present. The docs do expect access to repo paths, filesystem write capability, and the ability to inspect processes/pids; those are proportional to the stated purpose but are sensitive. The docs mention credential-related failure classes, yet no specific credential names are requested — the supervisor may detect missing credentials but does not declare needing them up front.
Persistence & Privilege: notealways:false and no install are appropriate. The skill explicitly recommends persistent task files and background worker metadata on disk; that is expected for an orchestrator but means it will create and modify files in user directories. It does not request elevated platform privileges or system-wide changes in the metadata provided, but persistent filesystem writes and background process management increase the blast radius if misused.