Skillv1.0.0

ClawScan security

Agent Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 7:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be a database of sensitive internal telemetry, remote-control settings, and hidden features but is missing provenance, bundled data, and an install/dependency spec — that mismatch and the sensitive nature of the claimed content warrant caution.
Guidance: Proceed with caution. This skill claims to catalogue telemetry endpoints, remote-control settings, feature flags, and unreleased tools—data that could be sensitive or enabling of misuse. Before installing or invoking: 1) Ask the author for provenance, citations, and the raw dataset files (the SKILL.md lists datasets but they are not bundled). 2) Verify the npm packages referenced (@claws-shield/cli, @claws-shield/intel, @claws-shield/core) in a safe environment: inspect their source repository, release signatures, and maintainers. 3) Avoid running npx or node scripts that will fetch remote packages on a production machine—use an isolated sandbox or VM. 4) If you need this functionality, prefer a version that bundles the data or uses a documented, auditable remote API with clear provenance and access controls. 5) If you cannot obtain trustworthy provenance and a bundled dataset, treat this skill as potentially risky and do not run it with real credentials or on critical systems.
Findings: [no-static-findings] unexpected: The static scan reported no injection signals or suspicious regex matches. That does not imply safety: the skill is largely instruction-only and references external npm packages and datasets that are not bundled, so risk comes from runtime fetches rather than static code in the package.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is an intelligence DB containing telemetry endpoints, remote-control settings, feature flags, and unreleased tools. However, the package does not include the claimed JSON datasets in the file manifest, and the single helper script imports @claws-shield packages that are not declared or bundled. The skill therefore claims access to potentially sensitive data but doesn't provide those data files or document how they will be obtained, which is incoherent and concerning.
Instruction Scope: noteSKILL.md instructs using npx @claws-shield/cli or node scripts/query-intel.mjs to query the KB. The instructions themselves are narrowly scoped to searching a knowledge base and do not explicitly instruct reading unrelated system files or exfiltrating secrets. However, allowed-tools include Bash/Read/Grep (which permit file reads), and the content claims knowledge of telemetry endpoints and remote-control infrastructure — datasets that could be abused if accurate. The instructions give broad freedom to run npx (which performs network fetches) but do not document where the underlying data come from.
Install Mechanism: concernThere is no install spec even though the SKILL.md and scripts reference an npm CLI (@claws-shield/cli) and modules (@claws-shield/intel, @claws-shield/core). That means using the skill as documented will cause agent/ user to run npx or otherwise fetch packages at runtime from an external registry. The absence of a declared dependency list or trusted release host is an incoherence and increases risk because arbitrary code could be pulled during invocation.
Credentials: concernThe skill requests no environment variables or credentials, which on the surface is good. But the claimed content (telemetry endpoints, remote-control managed-settings, undercover mode, killswitches) is highly sensitive. The skill's metadata provides no provenance, citations, or included data files; an attacker-controlled or low-quality data source could expose harmful endpoints. The lack of provenance and missing data bundling makes it hard to justify trusting this skill with sensitive operational use.
Persistence & Privilege: okThe skill does not request always:true, does not declare system-wide config changes, and is user-invocable. There is no explicit persistent privilege or automatic inclusion. This aspect is proportionate.