Back to skill
Skillv0.1.3
ClawScan security
Jj Mailbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:35 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's required tools, env vars, and instructions match its stated purpose: a file-based mailbox using a jj repo; the main risk is user-initiated sync operations which use host git/SSH credentials and will push repo contents to any configured remote.
- Guidance
- This skill appears to do what it says: use a jj repo as a shared mailbox. Before installing or running it: (1) create a dedicated mailbox directory and set JJ_MAILBOX_REPO to it (do not reuse a repo with secrets or important history); (2) avoid putting any credentials or private keys into the mailbox repo — anything in the repo may be pushed to remotes; (3) only run 'jj-mailbox sync' if you trust the configured git remote and understand it will perform fetch/push with your host git/SSH credentials; (4) make the included jj-mailbox.sh executable and review it (it uses python3 one-liners and jj/git commands) before copying to PATH; (5) be cautious if you plan to let an agent autonomously start sync — that increases the blast radius if the remote or repo are untrusted.
Review Dimensions
- Purpose & Capability
- okThe name/description (jj-based file mailbox) align with the listed binaries (jj, git, python3) and the provided CLI script (jj-mailbox.sh). Required env vars (JJ_MAILBOX_REPO, JJ_MAILBOX_AGENT, JJ_MAILBOX_INTERVAL) directly map to mailbox path, agent identity, and sync interval. One minor mismatch: the registry declares a required binary named 'jj-mailbox' while the bundle provides 'jj-mailbox.sh' (the SKILL.md explains the script should be copied to PATH).
- Instruction Scope
- noteSKILL.md and the included script stick to repo-local operations (inbox/, agents/, shared/) for send/receive/registration. The only out-of-repo/network behavior is an opt-in sync loop that runs 'jj git fetch' and 'jj git push' — SKILL.md explicitly warns about this. No instructions ask the agent to read unrelated system files or exfiltrate data beyond the mailbox repo.
- Install Mechanism
- okThis is an instruction-only skill with an included shell script; there is no automated install or remote download. Nothing in the bundle silently writes arbitrary code to disk beyond the provided script.
- Credentials
- noteRequested environment variables are minimal and appropriate for the mailbox. The main security consideration is that 'jj git fetch/push' will use whatever host-level git/SSH credentials are configured; the skill does not request secrets directly but will operate with host credentials when sync is run.
- Persistence & Privilege
- okThe skill is not set to always:true and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed by default (platform normal), but the skill does not require automatic background behavior — sync is explicitly opt-in.