Back to skill
Skillv1.0.0
ClawScan security
MOA-Debate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 11:55 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and files are coherent with an Oxford‑style multi‑agent debate simulator and do not request credentials or install code, but it embeds many explicit system prompts which warrant cautious use.
- Guidance
- This skill appears coherent for running simulated Oxford‑style debates: it contains role system prompts, round sequencing, and structured output formats but requests no credentials or installs. The main thing to watch for is prompt‑injection risk: the skill relies on many explicit system prompts and strict 'return only' instructions which are normal here but could be used to override model behavior if the hosting platform does not enforce prompt isolation. Before installing: (1) confirm the platform prevents skill prompts from accessing or leaking sensitive agent/system context, (2) avoid providing any secret or private material as debate motions or examples, and (3) run a few test debates with non‑sensitive motions to verify outputs match expectations. If you need higher assurance, ask the platform vendor whether skill system prompts are sandboxed and whether skills can access other skills' credentials or agent internals.
- Findings
[system-prompt-override] expected: The SKILL.md defines explicit system prompts for multiple roles (Proposition, Opposition, Devil's Advocate, Chair, Judge). This is expected for a multi‑agent orchestration skill. Such patterns trigger prompt‑injection detectors because they attempt to control model behavior, so verify that the platform enforces higher‑level system prompt immutability and that these role prompts cannot cause leakage of sensitive context.
Review Dimensions
- Purpose & Capability
- okName and description (multi‑agent Oxford Union debate) match the SKILL.md and reference file: the skill is instruction-only and only defines agent roles, prompts, temperatures, round sequencing, and output schemas. Nothing requested (no env vars, no binaries, no installs) is out of scope for this purpose.
- Instruction Scope
- noteThe SKILL.md contains many explicit system prompts and strict output constraints (e.g., 'Return ONLY the question', 'Respond ONLY with JSON'), which is expected for orchestrating multiple LLM roles. These same constructs are commonly flagged as prompt‑injection patterns; while legitimate here, they could be abused if the platform does not enforce system‑prompt isolation or if the skill is given sensitive inputs. The instructions do not reference files, env vars, network endpoints, or any external data beyond standard LLM calls.
- Install Mechanism
- okInstruction‑only skill with no install spec and no code files — lowest risk for arbitrary code execution or supply‑chain downloads.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does not ask for unrelated secrets or system config access.
- Persistence & Privilege
- okalways:false and user-invocable:true (defaults). The skill does not request persistent system presence or attempt to modify other skills' configs. Autonomous invocation is allowed by platform default but not a special privilege of this skill.