Skillv1.0.0

ClawScan security

Security Audit Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 3:57 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package's tools and instructions broadly match an audit purpose, but there are several mismatches and overclaims (required host tools not declared, a directive to act as a mandatory install-gate that isn't reflected in metadata, and highly optimistic capability claims) that merit caution before trusting it automatically.
Guidance: This package looks like a genuine auditing toolkit and contains useful scripts (quick_scan.py, audit-*.sh) that perform static checks, npm pack extraction, and git history analysis. However, before you install or rely on it automatically: - Confirm host prerequisites: the README/SKILL.md require git, Node/npm, Python3 and common Unix utilities, but the package metadata did not declare these — ensure these tools are available and run the audit tools in an isolated environment (container/VM). - Don't assume automatic enforcement: SKILL.md insists the tool should act as a mandatory install-gate, but the registry metadata does not give it always:true. If you need a blocking gate, you must configure that separately. - Treat capability claims skeptically: quick_scan.py and the docs claim 5-second, 100% coverage scanning of tens of thousands of lines — this is optimistic and should be considered a fast pattern scan, not a formal exhaustive review. Use the tools to triage and then perform manual review or sandboxed dynamic analysis for high-risk packages. - Network activity is expected: audit-npm-package.sh runs npm view/pack and git clone (network traffic). Run these tools in a network-isolated or monitored environment if you are concerned about contacting unknown repositories. - Review and test the scripts first: nothing in the package asks for your secrets, but the scripts examine code for secrets. Run them on sample repositories to validate behavior and fix small bugs (for example, integrity/hash checks) before integrating into automated workflows. If you want to proceed, run the tools in an isolated environment and treat their results as triage — escalate any medium/high findings to a human reviewer or a formal security audit.

Review Dimensions

Purpose & Capability: noteName/description (audit third-party packages/repos) aligns with included scripts (quick_scan.py, audit-*.sh, git/history analysis). However, SKILL metadata lists no required binaries while README/SKILL.md require Node, git, Python and common Unix tools — this is an internal mismatch. The skill also claims it should be used automatically as an install gate, but metadata does not set always:true; that discrepancy between claimed operational role and declared privileges should be clarified.
Instruction Scope: noteSKILL.md contains detailed, concrete instructions for triage, metadata checks, npm pack + extraction, git clone, and static scans — all within an audit scope. It explicitly forbids executing installer scripts and curl|bash, which is good. One concern: SKILL.md repeatedly instructs the agent to 'automatically use whenever a user asks to install' (acting as a mandatory gate) — that's a behavioral policy for the agent, not an instruction scoped to a single audit run, and conflicts with the registry flags. The instructions also recommend using external capabilities (MCP tools, Docker sandboxing, network monitoring) when available; the skill assumes these are present but does not declare them.
Install Mechanism: okNo install spec; skill is instruction + script files only. The included scripts are local shell/Python tools and do not download arbitrary third-party payloads during install. They do perform network operations during an audit (npm view, npm pack, git clone), which is expected for this purpose. No suspicious external installers or extract-from-unknown-URL patterns are present in the package itself.
Credentials: okThe skill declares no required environment variables or credentials. The audit scripts scan targets for environment usage (process.env etc.) but the skill itself does not request secrets. This is proportionate to an auditing tool. Note: the tools write reports to /tmp and assume presence of host tools; they do not request cloud/service credentials.
Persistence & Privilege: noteThe skill is not flagged always:true (so it is not forced into every agent run), and it does not attempt to modify other skills or system-wide agent settings. SKILL.md's text repeatedly states this should act as a 'mandatory gate' before installs — a capability/privilege claim that is not implemented in metadata. If the user expects automatic blocking behavior, that expectation is not enforced by the package configuration.