Skillv1.0.0

ClawScan security

Agent Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 7:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly a thin wrapper that delegates auditing to an externally published npm package (@claws-shield/auditor) which is not included or vetted in the skill; that external dependency creates a meaningful risk and leaves the skill's true behavior opaque.
Guidance: This skill is a wrapper around an external npm package that is not included in the bundle. Before installing or running it: (1) obtain and review the source of @claws-shield/auditor (or the @claws-shield/cli) — do not run npx blindly; (2) prefer a locally vendored, pinned version of the auditor so you can inspect it; (3) run the tool in an isolated sandbox or offline environment first (no network) to see what files it reads/writes; (4) check npm package metadata, publisher, versions, and integrity (tarball SHA); (5) avoid providing credentials or sensitive environment variables while testing; (6) if you cannot audit the external package, treat the skill as untrusted. These steps will reduce supply-chain and exfiltration risk.

Review Dimensions

Purpose & Capability: concernThe name, description, and SKILL.md all describe an audit tool and the included wrapper script matches that purpose. However the real audit logic is delegated to an external npm package (@claws-shield/auditor) referenced by the script and by SKILL.md (npx @claws-shield/cli), but the skill provides no install spec or package source. That omission is disproportionate: a security/audit skill should either include its implementation or clearly declare and pin the external artifact being executed.
Instruction Scope: concernRuntime instructions tell the agent to read and analyze a target source tree (expected). But the included script simply imports and runs runAudit from @claws-shield/auditor — meaning the skill delegates arbitrary logic to that package. The SKILL.md gives no constraints on network access, telemetry, or on what runAudit may itself read, write, or transmit, so the true runtime scope is unknown and could include network exfiltration or reading unrelated environment/config.
Install Mechanism: concernThere is no install spec. SKILL.md suggests using npx or node to run a package that is not bundled. Relying on npx/npm at runtime pulls arbitrary code from the npm registry (moderate-to-high risk) and the skill's on-disk files are only a tiny wrapper, so you cannot audit the actual logic without fetching the external package. This is a material install/ supply-chain risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is reasonable for a source-only audit. However because the audit logic lives in an external package, that package could attempt to read environment variables, credentials, or system config without that being declared. The lack of declared env vars therefore reduces transparency and is a risk factor.
Persistence & Privilege: okThe skill does not request always:true, does not declare persistent privileges, and contains no install that writes files beyond what npx/npm would normally cache. There is no explicit attempt to modify other skills or system-wide config in the provided files. Still, the external package could perform writes at runtime — that behavior is not visible from the skill bundle.