Skillv1.0.0

ClawScan security

Anticipation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 11:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's goal (proactively recognizing user patterns) matches its instructions, but the instructions tell the agent to access many sensitive contexts (open files, running commands, browser tabs, conversation history) and to learn/store patterns without declaring permissions, storage, or consent — this mismatch is concerning.
Guidance: This skill tells the agent to observe and remember sensitive user context (open files, running commands, browser tabs, conversation history) but provides no details about required permissions, where learned patterns are stored, or how users opt out. Before installing, ask the publisher: (1) exactly which data sources the skill will access and when, (2) whether it asks for explicit user consent before each data access, (3) where and how learned patterns are stored, encrypted, and deleted, (4) how to disable proactive/autonomous behavior and opt out, and (5) whether logs of the skill's actions are available for audit. If the publisher can't answer or refuses limits/controls, avoid installing or test it only in a restricted environment. If you must use it, require the minimal possible permissions and verify you can revoke them and delete any stored pattern data.

Review Dimensions

Purpose & Capability: noteThe name and description ('anticipate user needs') align with instructions that ask the agent to observe conversation history and session context. That capability legitimately requires access to session/context data, so purpose and capability are coherent — but the skill does not declare or document the permissions or storage it needs to do this.
Instruction Scope: concernSKILL.md explicitly instructs the agent at session start to check Conversation Summaries, Open Files, Running Commands, and Browser Tabs and to 'learn_pattern' or 'learn_from_mistake'. These are broad, potentially sensitive data sources. There is no guidance about user consent, data minimization, or safe handling (where patterns are stored, retention, or opt-out), so the runtime instructions exceed a narrowly scoped chat helper.
Install Mechanism: okInstruction-only skill with no install spec or code files; nothing is written to disk by the skill package itself. This lowers delivery risk.
Credentials: concernThe skill requests no environment variables or config paths, yet the instructions imply needing access to filesystem (open files), process state (running commands), browser state (tabs), and persistent pattern storage. That discrepancy—no declared permissions or storage but explicit instructions to access and remember sensitive signals—is disproportionate and unclear.
Persistence & Privilege: notealways:false (no forced installation) and autonomous invocation is allowed (platform default). Because the skill is explicitly proactive and can learn patterns, autonomous invocation increases the potential blast radius: it could act or store inferred data without a clear consent/opt-out mechanism. The skill does not request always:true, nor does it declare where it would persist learned patterns.