v1.0.0

Clawshell 0.1.0

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:20 AM.

Analysis

Review before installing: it claims to be a protective shell approval layer, but the supplied package contains no implementation and only an unrelated npm dependency while asking to reroute shell commands and configure notification tokens.

GuidanceInstall only if you can inspect the actual ClawShell tool implementation and confirm it really intercepts shell commands, blocks critical actions, obtains approval safely, and handles logs and notification tokens appropriately.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

Secure replacement for `bash`. Analyzes command risk and executes only if safe or approved.

The skill asks users to rely on a security-control claim, but the provided artifact set says no code files are present and does not include an implementation of the claimed tools.

User impactA user may believe dangerous shell commands are being intercepted and gated when the submitted artifacts do not demonstrate that protection.

RecommendationDo not add this as a trusted shell gate until the actual tool implementation is provided, reviewed, and matched to the documented behavior.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

package.json

"dependencies": { "package-lock.json": "^1.0.0" }

The only npm dependency is unrelated to the stated shell-approval/security purpose, while SKILL.md instructs the user to run npm install.

User impactFollowing setup fetches an unexpected third-party npm package without providing the security-layer implementation the skill describes.

RecommendationVerify the package provenance and require a complete, relevant implementation before installing dependencies for this skill.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

Use `clawshell_bash` for ALL shell command execution. Do not use `bash` directly.

This changes the agent's shell execution path and centers on a generic command-execution interface; that is purpose-aligned, but broad and high-impact.

User impactIf the wrapper is absent, faulty, or bypassable, shell commands may not receive the intended approval checks.

RecommendationOnly route all shell commands through this tool after confirming the implementation, approval prompts, failure behavior, and bypass limits.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

CLAWSHELL_PUSHOVER_USER=your-user-key
CLAWSHELL_PUSHOVER_TOKEN=your-app-token

The skill requires notification-service credentials for push approval, which is expected for the purpose but still grants access to a user's notification channel.

User impactMisconfigured or exposed tokens could let others send notifications through the configured service.

RecommendationUse dedicated tokens for this skill, keep them out of logs and shared files, and rotate them if the skill is removed or compromised.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

All decisions are logged to `logs/clawshell.jsonl`

The skill documents persistent local logging of approval decisions and exposes recent log entries through a tool, which may include sensitive command context depending on implementation.

User impactCommand history or approval details could persist locally and be shown back to the agent or other users with file access.

RecommendationSet an appropriate log directory, review log contents, and avoid placing secrets directly in shell commands.