Skillv1.0.0

ClawScan security

Nexus Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 8:50 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The bundle contains a full CLI (Admirarr) and installer artifacts but the registry metadata and SKILL.md declarations are inconsistent (different name, 'instruction-only' claim, missing install spec); the tool auto-discovers/API-reads container configs and can dispatch full diagnostic context to other agents and run fixes — review before installing or granting privileges.
Guidance: Do not install blindly. The package files implement 'Admirarr' (a full media-stack CLI) even though the registry entry labels it differently and claims it's instruction-only. Review the following before proceeding: 1) inspect install.sh and any remote install URL (the README recommends curl | sh); do not run remote install scripts you don't inspect. 2) examine internal/keys and any docker-exec usage — the tool auto-discovers API keys from containers, which requires Docker/container access and can expose secrets. 3) be cautious with 'admirarr doctor --fix' because it will run repairs (restarts, file operations) and may dispatch the full diagnostic context to other agents; only allow fixes when you trust the agent and have backups. 4) prefer running the CLI in a controlled environment (non-production VM or isolated container) first and confirm exactly what privileges it needs (Docker socket, access to media paths). If you expect a lightweight 'instruction-only' skill, treat this as suspicious because it bundles an executable project and installer that were not declared in the registry. If you want to proceed, verify source provenance (GitHub Releases or an official maintainer), review the installer script, and run it with minimal privileges.

Review Dimensions

Purpose & Capability: concernMetadata at the top says "Nexus Cli" but the included SKILL.md, README, and all source files implement "Admirarr" — a full-featured media stack CLI. The package claims to be instruction-only with no install spec, yet the repository contains a complete Go project, an install.sh, and distribution URLs referenced in README. This mismatch (name vs contents, instruction-only claim vs shipped source and installer) is incoherent and worth flagging.
Instruction Scope: concernSKILL.md instructs agents to call the admirarr CLI for status, diagnostics and an AI-powered 'doctor --fix' flow. The codebase implements actions that: query service APIs, run docker/docker-compose commands via exec, read container configs (auto-discover API keys), restart containers, create directories, and optionally delete downloaded files (--delete-files). The 'doctor --fix' step explicitly dispatches remaining issues to detected AI agents with 'full diagnostic context' — this can expose sensitive system state to other agents or systems. These instructions go beyond simple read-only status checks and include potentially destructive or highly sensitive operations.
Install Mechanism: concernRegistry claims no install spec (instruction-only), but the repo contains an install.sh and README suggests a one-liner curl | sh (get.admirarr.dev) and GitHub Releases/Homebrew/etc. There is no install spec recorded in the registry metadata, so how the binary will be installed by an agent is unclear. The presence of an installer URL in docs (curl | sh) is a higher-risk install mechanism if used — the registry should have explicitly declared the install source. This inconsistency increases risk because an agent or user following the README could fetch/execute remote code.
Credentials: concernThe skill declares no required env vars, but the tool auto-discovers and stores service URLs and API keys in ~/.config/admirarr/config.yaml and includes code that reads container configs (docker exec) to find API keys. That behavior requires access to Docker/containers and to potentially sensitive secrets (service API keys). Those capabilities are coherent with a media-stack manager but are not reflected in the declared requirements — the skill asks for access to data it does not explicitly declare, which is a proportionality and transparency concern.
Persistence & Privilege: notealways:false (good). The repo includes .claude agent definitions and an auto-rebuild hook that rebuilds the binary on .go file edits (noted in CLAUDE.md). While the skill doesn't request forced permanent inclusion, the presence of agent hooks and local build scripts means an installed agent could rebuild/replace the binary if it has write access to the repo/output path. This is not itself a disqualifier, but combined with the other concerns it widens the blast radius.