Skillv1.0.0

ClawScan security

chat-ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 6:06 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be a text→SQL assistant, but its runtime code injects a hard-coded local project path and imports modules not included in the bundle, which is incoherent and could cause it to execute whatever exists on the host — review before installing.
Guidance: Do not install or enable this skill without further review. The main.py file inserts a hard-coded local path (D:\javaworkspace\Winner-Ai) into sys.path and imports modules not included in the package; if that path exists on your machine the skill will execute code from it, which could access credentials, databases, or network resources. Ask the publisher to either (a) include all required modules in the skill bundle, (b) remove the sys.path injection and rely on standard packaging, or (c) provide a clear list of required environment variables and external services. If you must test it, run it in an isolated sandbox with no access to sensitive credentials, inspect the AIChatOrchestrator and related project code for networking/secret access, and verify what external endpoints and environment variables it uses.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a text-to-SQL assistant and requires only a 'query' input, but main.py modifies sys.path to include a hard-coded local Windows project root (D:\javaworkspace\Winner-Ai) and imports AIChatOrchestrator and other modules that are not part of the skill bundle. This mismatch (expecting a separate developer project on disk) is not justified by the stated purpose and is disproportionate.
Instruction Scope: concernSKILL.md instructions are scoped to converting queries to SQL, but main.py's runtime behavior goes beyond that: it injects an external project path, imports app.* modules (including a redis client and orchestrator), and will execute that external project's logic if present. The SKILL.md does not mention reading local code/config or contacting external systems that the imported orchestrator might use.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces direct install risk. However, the bundled main.py will attempt to import code from an external, hard-coded filesystem location rather than relying only on bundled code or declared dependencies — effectively making the skill depend on arbitrary host files at runtime.
Credentials: concernThe skill declares no required env vars or credentials, yet main.py imports components (AIChatOrchestrator, get_redis_client) that commonly require DB/LLM/Redis credentials. Those credentials are not declared, so the code could read them from the host environment or project config without user expectation or consent.
Persistence & Privilege: noteThe skill does not request always:true and does not persist configuration itself. However, by adding a local project path to sys.path it gains the ability to execute arbitrary code from the host filesystem during invocation — increasing its runtime privileges compared with a self-contained instruction-only skill.