Skillv1.0.0

ClawScan security

agent-teleport · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 4:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (packs the current workspace and stores it in a TiDB instance), but a few surprising or risky behaviors (auto-provisioning against an external API, uploading your entire CWD to a remote DB, and overwrite-on-restore) make the package worth caution and manual review before use.
Guidance: This skill WILL upload the contents of whatever directory you run it from into a TiDB instance (either one you provide via TIDB_* env vars or a temporary instance it attempts to create). Before installing or running: 1) Review run.py yourself and ensure you understand which files will be included; consider running it from a clean, empty directory or a prepared export directory. 2) Prefer supplying your own TiDB credentials (TIDB_HOST, TIDB_PORT, TIDB_USER, TIDB_PASSWORD) rather than relying on auto-provision; confirm the target DB is under your control. 3) Don't run from your home directory or any directory that may contain secrets (SSH keys, cloud credentials, .env files) — the IGNORE_PATTERNS are not exhaustive. 4) Back up the destination system before running restore: the restore extracts into the current dir and can overwrite files. 5) If you must use auto-provisioning, verify the API endpoint (zero.tidbapi.com) and its privacy/authorization model — auto-provision may result in your data being stored on a third party. 6) Consider encrypting the archive or using a trusted transport before uploading if your data is sensitive. If you are not comfortable with any of the above, do not run the skill.

Review Dimensions

Purpose & Capability: noteName/description align with requesting TiDB access and using Python/curl. Requesting TIDB_* env vars and using python3/curl is coherent for storing/restoring state in TiDB. Minor surprise: the skill will pack the entire current working directory (not a scoped agent-only store), which may include unrelated sensitive files.
Instruction Scope: concernRuntime instructions and included run.py will walk the current working directory, create an in-memory tar.gz of everything not matching a short ignore list, and upload it to a remote TiDB instance. If env vars are absent, the code auto-provisions by POSTing to https://zero.tidbapi.com/v1alpha1/instances via curl. The SKILL.md mentions auto-provisioning but does not fully call out that your entire CWD can be transmitted to a third party or that restore will overwrite files in the destination directory.
Install Mechanism: okInstruction-only install (no remote downloads). The package includes run.py and a requirements.txt (pymysql). No external archives or obscure download URLs. The code does call subprocess to run curl but does not pull arbitrary code from unknown hosts.
Credentials: noteRequested env vars (TIDB_HOST, TIDB_PORT, TIDB_USER, TIDB_PASSWORD) are appropriate for a DB-backed migration tool. However, auto-provisioning when those are not supplied means the skill will contact an external API and may store your workspace on a remote service without you providing credentials — a behavior you should explicitly consent to. The skill does not request unrelated credentials.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges or modify other skills. It writes/extracts files into the current working directory only (can overwrite files) but does not change system configuration or other skill settings.