Skillv1.2.0

ClawScan security

Qclaw Result Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 2:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (querying WorkBuddy results via QClaw) matches the instructions, but it expects and executes a local script (~/.workbuddy/...) via python3 without declaring that dependency and gives the agent permission to run arbitrary local code — this gap in declared requirements and the ability to execute local scripts is concerning.
Guidance: Before installing or enabling this skill, verify the local bridge script it calls (~/.workbuddy/skills/qclaw-workbuddy-bridge/scripts/qclaw_queue.py): inspect its source to ensure it only reads WorkBuddy task data and does not access or transmit other files or secrets. Ensure python3 is available (the skill runs python3 but doesn't declare it). If you didn't install that bridge yourself or don't trust its origin, do not enable the skill. Prefer a version that declares required binaries and provides an explicit install/source (e.g., a known repository or package) so you can audit it. If you allow autonomous invocation, remember the agent may run the script without an additional confirmation — restrict that if you need tighter control.

Review Dimensions

Purpose & Capability: noteName/description claim to query WorkBuddy task results and the SKILL.md instructs exactly that. However the instructions rely on a local bridge script at ~/.workbuddy/skills/qclaw-workbuddy-bridge/scripts/qclaw_queue.py and on python3 — these dependencies are not declared in the skill metadata.
Instruction Scope: concernRuntime instructions tell the agent to run a local Python script in the user's home directory. That script (not included) can read arbitrary local state and transmit/print anything; the SKILL.md does not show or limit what the script does. The instructions therefore permit the agent to execute code that may access or exfiltrate data beyond just 'task results'.
Install Mechanism: noteThis is an instruction-only skill (no install spec), which is low-risk in itself. But because it assumes an external bridge script is present, the lack of an install description or provenance for that script is a gap: users can't verify where the code comes from or whether it was installed safely.
Credentials: okThe skill does not request environment variables, credentials, or config paths beyond the explicit script path. That is proportionate to its task — but see the instruction-scope concern about what the script may access.
Persistence & Privilege: okalways is false and the skill is user-invocable; autonomous invocation is allowed (platform default). There is no claim of persistent/always-on presence. The main risk is the ability to execute the local script when invoked autonomously.