Skillv1.0.0

ClawScan security

Recognize Intent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 1:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what its name says (intent recognition) but has a few incoherent or risky behaviors — notably it silently loads a local .env and spawns a Python subprocess that inherits all environment variables and can call a remote Gemini REST endpoint — which could expose secrets if misconfigured.
Guidance: This skill appears to implement intent recognition as described, but pay attention to these points before installing: - .env loading: index.js will read a skills/.env (if present) and inject those variables into the process environment, and the Python subprocess inherits the entire environment. Avoid storing unrelated secrets in .env or the agent environment if you enable this skill. - Remote LLM calls: the Python code can call a Gemini REST endpoint (gemini_api_url) using gemini_api_key / token. If you supply those creds or they exist in environment, the user query and generated prompts will be sent to that endpoint. Only provide keys for a trusted host. - Optional connectors: SKILL.md references Milvus/MySQL/semantic services. Those are optional and degrade gracefully if not provided, but if you configure them they will be contacted and may receive parts of user input or metadata. - Dependency/runtime: this bundle expects Python and the httpx library (and possibly other Python libs). Test in a sandbox or ensure dependencies are installed in a controlled environment. - Inconsistencies: SKILL.md suggests file-based workflows (reading rewrite_output.json and writing intent_output.json) but the packaged index.js uses stdin/stdout instead; expect differing behaviors depending on how you invoke the skill. Recommendations: inspect any skills/.env file before use, avoid placing unrelated secrets in the agent environment, only provide Gemini/API credentials if you trust the endpoint, and test the skill in an isolated environment first.

Review Dimensions

Purpose & Capability: noteName/description match the included code: the Python module implements intent classification, indicator extraction and metric-slot parsing. The SKILL.md documents optional connectors (Milvus, MySQL, semantic services) used for richer behavior; these are declared as degradable (optional) and constructor injection is provided. Minor mismatch: the registry declares no required env vars, yet SKILL.md documents many optional .env keys — acceptable if optional, but worth noting.
Instruction Scope: concernSKILL.md instructs reading/writing files under skills/.workflow and calling the Python script; index.js instead uses stdin/stdout to invoke the Python code. The code will call an external Gemini REST API (if configured) and uses injected services for vector search/DB lookups when present. The instructions mention many .env keys and external services; the runtime will attempt remote network calls (Gemini) which will transmit user queries to that endpoint. The instructions grant the skill discretion to call optional services and to trigger a clarification workflow when confidence <0.7.
Install Mechanism: okNo install spec (instruction+code only). That minimizes supply-chain risk — all code is included in the bundle. Runtime requires Python and the httpx library, but there is no download-from-URL or script that fetches external archives during install.
Credentials: concernThe skill (index.js) loads a .env file from the parent skills directory into process.env if present and passes process.env wholesale into the spawned Python process. Although the manifest lists no required credentials, SKILL.md documents many optional env keys (MILVUS_*, MYSQL_*, GEMINI_*). Because the child process inherits the full environment, any secrets present in the agent environment or .env could be accessible to the skill and, if configured, sent to remote services (e.g., Gemini). This is disproportionate if users keep unrelated secrets in the environment.
Persistence & Privilege: okalways is false and the skill does not request persistent/always-on presence. There is no indication it modifies other skills' configs or requests system-wide privileges.