Skillv2.1.0

ClawScan security

Creek · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 30, 2026, 7:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a Creek CLI deploy tool, but important metadata and safety-relevant behaviors are inconsistent or under-specified (notably an undeclared CREEK_TOKEN requirement and automated/secret-displaying commands), so proceed cautiously.
Guidance: This skill appears to be a legitimate Creek CLI wrapper, but there are important mismatches and high-impact instructions you should verify before installing. Ask the author to update the registry metadata to declare the required 'creek' binary and the CREEK_TOKEN environment variable. Only provide a CREEK_TOKEN with the minimum necessary scope (prefer ephemeral or CI tokens), and do not reuse a Cloudflare/organization master key. Be aware the skill tells the agent to run commands with --yes (no confirmations) and to show env values (--show) which can expose secrets; if you allow autonomous invocation, restrict the agent's permission or test in an isolated account/repo first. If you are unsure, request the source/homepage or a maintained install spec from the author before use.

Review Dimensions

Purpose & Capability: concernSKILL.md clearly implements a Creek CLI deploy/manage skill (init, deploy, domains, env, rollback) which is coherent with the stated purpose — however the registry metadata claims no required binaries or env vars while the SKILL.md explicitly lists the 'creek' binary and CREEK_TOKEN. That mismatch (undeclared required credential/binary) is unexpected and should be resolved by the author.
Instruction Scope: concernRuntime instructions instruct the agent to run potentially destructive or sensitive commands with --yes (skip confirmations) and to use 'creek env ls --show --json' which reveals environment variable values (secrets). The guidance to 'follow breadcrumbs' and auto-enable --yes in non-TTY gives the agent broad, autonomous discretion to modify deployments, domains, and env vars. These actions are within a deploy tool's capabilities but are high-impact and not sufficiently constrained in the instructions.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to write to disk, which is the lowest install risk. SKILL.md suggests installing the Creek CLI via npm globally (npm install -g creek) but the package installation is not part of an automated install spec.
Credentials: concernThe SKILL.md requires CREEK_TOKEN for authenticated operations, which is reasonable for a deploy tool — but the registry metadata did not declare any required env variables. The skill's commands can list and show env vars, set and remove them, manage domains, and perform rollbacks, so the token grants broad, account-level privileges. The required credential should be declared and users should be warned to use least-privilege/CI tokens and avoid exposing high-privilege keys.
Persistence & Privilege: okalways:false and normal model invocation are set (no forced always-on presence). The skill does not request to modify other skills or system-wide agent settings. Autonomous invocation plus the high-impact CLI commands is normal for a deployer but increases blast radius (not a metadata privilege issue itself).