Skillv1.0.2

ClawScan security

R4 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 27, 2026, 9:06 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions assume pre-installed R4 CLI and an R4_API_KEY with broad vault access, but the registry metadata does not declare those binaries or credentials — this mismatch and the ability to read/inject secrets are concerning and deserve verification before installing.
Guidance: This skill claims to be a password manager and domain registrar front-end that can read and inject all project secrets, but the registry info does not declare the required CLI or API key. Before installing: 1) Verify the skill author/source (unknown here) and confirm that r4.dev is legitimate for your environment. 2) Ask whether the R4 CLI is actually pre-installed and where the R4_API_KEY will come from; do not assume an API key is present. 3) Confirm the exact vault-item sharing/permissions — which vaults and fields are shared with the agent? 4) Be cautious about allowing autonomous runs that execute commands with injected secrets (r4 run) — secrets could be leaked if the agent runs networked commands. 5) Require the publisher to update registry metadata to list required binaries and the primary env var(s) (e.g., R4_API_KEY) so the permission scope is explicit. If you cannot verify these, run the skill in an isolated/test environment and audit CLI behavior and network calls before granting it access to production secrets.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a password-manager + domain-registrar integration that requires an `r4` CLI and an `R4_API_KEY` environment variable. However, the registry metadata declares no required binaries, no required env vars, and no primary credential. That omission is inconsistent: a vault/registrar skill legitimately needs an API key and/or CLI access, so the metadata should declare them.
Instruction Scope: concernThe instructions tell the agent to list and fetch vault items (including 'r4 vault list' which returns all project env vars) and to run commands with secrets injected ('r4 run'). Those actions are within the claimed purpose, but they enable broad secret access and potential misuse. The README also says the CLI and API key are pre-configured — an assumption that may not hold and is not reflected in metadata.
Install Mechanism: okNo install spec is provided (instruction-only), and the single code file only exposes the SKILL.md path and content. Nothing is downloaded or written at install time, which minimizes install-time risk.
Credentials: concernThough the skill clearly needs an `R4_API_KEY` and access to many vault items (usernames, passwords, API keys, SSH keys), the registry declares no required environment variables or primary credential. The skill's effective permissions would be broad (access to many secrets) but that is not articulated in the metadata — this mismatch is disproportionate and should be clarified.
Persistence & Privilege: okThe skill is not set to always:true and does not request elevated persistent platform privileges. Model invocation is allowed by default (normal). The skill does not modify other skills or system-wide settings in the provided files.