Skillv0.2.1

ClawScan security

Volcengine Agent Identity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 11:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with an identity/credential-management plugin: it asks for no unrelated secrets or installs, and its instructions match the stated purpose — but enabling it grants the agent legitimate power to host and bind credentials to environment variables, so treat that capability as sensitive.
Guidance: This skill is coherent for identity and credential management and does not request unrelated secrets or installs. Before enabling it, consider: 1) Only enable the plugin if you need agent-hosted credentials or OIDC/TIP flows. 2) Review where credentials will be stored and who can access them; ensure storage is encrypted and access-audited. 3) Pay attention to bindings: binding a provider to an env var lets other tools receive those secrets — restrict which tools/agents can use injected env vars. 4) Keep authz.requireRiskApproval enabled (and avoid allowing the agent to self-approve) so high-risk commands require explicit user approval. 5) Monitor approval logs and periodically review providers and bindings. If you are uncomfortable with an agent having the ability to inject credentials into tool invocations, do not enable this plugin.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions align: the skill is for OIDC login, TIP tokens, credential hosting, and risk approval. It does not request unrelated environment variables or binaries. The declared required config path (plugins.entries.agent-identity.enabled) is appropriate for a plugin of this type.
Instruction Scope: noteSKILL.md instructs the agent to call identity tools for login, status, fetch, list, and binding operations — this is within scope. It explicitly warns the agent not to self-approve user-initiated slash commands. One notable capability: the skill supports binding credential providers to environment variables for other tools (tool injection). That is a legitimate feature for a credential-hosting plugin, but it is powerful because it enables other tools/commands to receive secrets. The instructions do not ask the agent to read arbitrary host files or unrelated env vars, nor to transmit secrets to unexpected external endpoints.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest risk from installation perspective. Nothing is written to disk by this skill's manifest.
Credentials: okThe skill declares no required environment variables or primary credential, which is proportional. However, its functionality includes storing credentials and binding them to environment variables for tool use; while appropriate for identity management, that capability effectively grants the plugin the ability to surface secrets to other tools, so operational controls (who can approve bindings, auditing) matter.
Persistence & Privilege: okalways is false and model invocation is not disabled (normal). The skill requires enabling in plugin config; it does not demand permanent always-on inclusion or modify other skills' configs. No other elevated persistence or cross-skill access is requested.