Skillv1.0.8

ClawScan security

Context — Multi-Agent Collaboration Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 12:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code mostly matches its stated collaboration purpose, but there are multiple incoherent and risky choices (mixed hardcoded server URLs, silent remote defaults, mandatory remote-write guidance, and 'viral propagation' behavior) that merit caution before installation.
Guidance: This plugin will inject shared SPACE/TEAM/TASK contents into agents' system prompts and push agent outputs to a configured Context server. Before installing: (1) verify and trust the Context server you configure — do not point it at an unknown public URL; (2) turn off autoInject or test with autoInject=false while auditing behavior; (3) inspect the server implementation (the manifest points to a GitHub repo) to confirm it won't store or forward sensitive data; (4) be cautious with sensitive content — the plugin encourages writing all outputs to the remote space; (5) note the inconsistent hardcoded defaults (localhost vs https://context-server-mj6f.onrender.com) — confirm which server the plugin will actually talk to and whether an auth token is supported/used; (6) if you need to use it, prefer deploying your own local Context server and point the plugin to it, and monitor network traffic (or block external network access) while testing.

Review Dimensions

Purpose & Capability: noteThe skill claims to provide shared spaces, auto-injection of SPACE.md/TEAM.md/TASK.md, tools to read/write files, and viral share URLs — and the code implements those features. However there are inconsistencies: several modules hardcode CTX_BASE='http://localhost:3100' while SKILL.md and index.ts reference a remote default (https://context-server-mj6f.onrender.com). package.json exposes a 'token' config that the code never uses. These mismatches look like leftover dev/test defaults or sloppy configuration and reduce confidence that network behavior is intentional or limited to a single server.
Instruction Scope: concernThe prompt-hook actively auto-injects protocol files into every agent system prompt and the code contains explicit text that instructs agents to 'write all work output' to the shared remote space (not local workspace). That is scope-expanding: it causes agents to push potentially sensitive outputs to an external service and modifies agent behavior platform-wide via a prompt hook. The plugin also provides gateway proxying (/ctx/ route) and a viral URL mechanism that can cause other agents/users to be redirected to installation guidance or server content — this enables spread beyond an initial group.
Install Mechanism: okNo external install script or remote download is declared in the SKILL.md or package metadata; this is an instruction-and-code bundle. Nothing in the manifest shows arbitrary remote code being fetched during install, which is lower installation risk. (That said, runtime network I/O to the Context server is core to functionality.)
Credentials: concernThe skill does not declare required environment variables, which superficially seems good, but package.json documents a 'token' config that the code does not consume. More importantly, the plugin's behavior encourages sending all agent outputs to a remote server (configurable but defaults differ across components). That is disproportionate for many users: it can exfiltrate conversation content, files, and task data to an external host. The code also adds an identifying header 'X-Context-Plugin' to proxied requests, which may be used to fingerprint or signal plugin presence to the server.
Persistence & Privilege: notealways:false (good), but the plugin registers a before_prompt_build hook that auto-injects context into system prompts whenever enabled. That is a powerful capability that affects all agent responses in groups where it's active and supports the 'viral propagation' design. Because the plugin can autonomously append system context and register agent tools, it has a broad runtime footprint even without 'always:true'.