Skillv1.0.0

ClawScan security

Patrick bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 10:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its name claims (a CLI-backed expertise library), but its runtime instructions ask the agent to collect broad company data and to accept/paste a sensitive license token via chat, and there are internal contradictions about what is stored server-side — these mismatches raise security and privacy concerns.
Guidance: This skill is functionally coherent but asks for sensitive inputs and broad local context in ways that could leak data if you aren't careful. Before installing: (1) do NOT paste your license token into chat unless you fully trust the skill and the receiving agent — instead set the license locally with `patrick-cli set-license` in a terminal; (2) inspect what `patrick-cli fetch initialize` actually sends — does it upload your company data? — and only run it in a controlled environment if you need server-side bootstrapping; (3) prefer to download the binary yourself and manually verify the SHA256 checksum (do not pipe unknown install scripts from curl to bash); (4) avoid giving the agent blanket permission to read Slack/JIRA/git/calendar archives — grant access narrowly and review what is transmitted off-host; (5) if you require stronger assurance, run the CLI in a sandbox or isolated VM and contact the vendor for documentation on data flows and retention (what exactly `send` stores server-side). If you want, I can suggest safer installation steps and a checklist of questions to ask the vendor about data handling and retention.

Review Dimensions

Purpose & Capability: noteThe declared purpose (executive expertise library) aligns with installing a vendor CLI and fetching templates from a server; requiring a patrick-cli binary and a license is reasonable for that purpose. Minor inconsistency: the skill metadata declared no install spec in the registry summary, but the SKILL.md contains installation metadata and an install script — this is likely a packaging omission rather than malicious.
Instruction Scope: concernSKILL.md explicitly instructs the agent to enumerate and read broad sources of company data (company data folders, Slack archives, JIRA tickets, git history, calendar events) and to 'load this context into your working memory' before running expertise. It also instructs the user/agent to paste the license into chat for automatic configuration. This is open-ended and grants the skill broad discretion to access sensitive data; it's not clearly limited to only the specific context variables needed for a single request. Additionally, the skill contains contradictory statements about server-side storage (claims 'No user data is logged or stored server-side' while also describing `send` storing results for continuity).
Install Mechanism: noteInstallation downloads a platform-specific binary from https://portal.patrickbot.io and places it in ~/.patrick/bin. The install script attempts SHA256 checksum verification if available. Downloading an executable from the vendor domain is expected for a proprietary CLI, but it is higher-risk than installing from a vetted package repository; the script's checksum steps mitigate some risk but rely on the checksums being available and correct on the same vendor host.
Credentials: concernThe skill declares no required env vars/credentials, yet the runtime instructions require a license token and encourage pasting it into chat for automatic configuration. Asking the agent to accept license tokens via chat (and to accept a license presented in an installer message) introduces sensitive credential handling that is not represented in the declared requirements. The instruction to access many local systems (Slack/JIRA/files) is disproportionate unless the user explicitly consents and understands what will be read or uploaded.
Persistence & Privilege: okThe skill does not request always:true, does not declare elevated system-wide presence, and does not modify other skills. It does recommend cronjobs for scheduled tasks, which is a legitimate operational need for periodic briefings but should be configured by the operator. Nothing in the package requests forced persistent inclusion or system-level privilege by default.