Skillv1.0.0

ClawScan security

Pain To Pip Package · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 7:48 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions describe a coherent pipeline (scan Reddit → build pip CLI → push to GitHub) but the skill omits required tools and credentials and encourages automated pushes/releases, so the declared requirements and runtime actions are not fully aligned.
Guidance: Before installing or running this skill, verify the following: (1) the environment has the required tooling (python3, pip, git, GitHub CLI 'gh', optionally setuptools/wheel) — the skill metadata does not list them; (2) understand and control credentials: you will need Git credentials or a GITHUB_TOKEN (and possibly PyPI credentials) to push or release — never provide broad-scope tokens to an untrusted agent or skill; (3) review any 'scripts/daily-pipeline' code before executing: the SKILL.md assumes local scripts exist and will mutate files and push them upstream; running unreviewed automation can leak data or push undesired content; (4) be cautious about including Reddit quotes in README files — they may contain PII or violate Reddit/user terms; sanitize content and confirm license/consent; (5) prefer running the pipeline in an isolated VM or container and use a least-privilege GitHub token with minimal scopes (repo:public_repo or per-repo scoped token) rather than full account tokens; (6) if you want this to be fully trustworthy, ask the publisher for: explicit required binaries list, a list of required env vars (and justification), and the actual scripts referenced (scripts/daily-pipeline) so you can audit them before execution. If those are provided and reviewed, the coherence concerns would be reduced.

Review Dimensions

Purpose & Capability: noteThe stated purpose (turn Reddit complaints into pip-installable CLI tools and push them to GitHub) matches the SKILL.md steps. However the SKILL.md implicitly requires tools and permissions (git, gh CLI or Git credentials, Python build tools, possibly a GitHub token and/or PyPI credentials for publishing) that the skill metadata does not declare. That mismatch reduces confidence in the manifest's accuracy.
Instruction Scope: concernThe instructions tell an agent/operator to run commands that modify a repository, create releases, and schedule cron jobs. These actions will require GitHub authentication and write access to a repository. The doc also warns about agent-specific file read/write behavior (the 'execute_code' warning), which signals the instructions expect direct file manipulation by an agent — a capability that can cause accidental data corruption or unintended uploads if the agent environment is different from what's assumed. The SKILL.md further encourages adding user quotes from Reddit into README files, which raises privacy/PII and licensing concerns but is unrelated to declared requirements.
Install Mechanism: okThis is an instruction-only skill with no install spec and no downloads — lowest install risk. That said, the runtime steps assume external binaries (python3, pip, git, gh) that are not declared as required; the lack of an install spec means the operator must ensure these exist before running the pipeline.
Credentials: concernThe skill declares no required environment variables or credentials, yet the push/release steps and comments about posting indicate the need for GitHub credentials (GH CLI auth or a GITHUB_TOKEN) and possibly PyPI credentials (if publishing to PyPI). This is a proportionality mismatch: sensitive secrets/credentials are necessary for core steps but are not surfaced in the metadata, so an operator might be prompted (or a misconfigured agent might seek) credentials unexpectedly.
Persistence & Privilege: noteThe skill does not request 'always: true' and is not automatically persistent, which is good. However the SKILL.md explicitly recommends creating cron jobs for daily automation that will repeatedly scan Reddit and push updates to GitHub. If an executing agent is given autonomy to implement those cron jobs, that creates persistent behavior (scheduled, automated pushes/releases). Autonomous invocation combined with credential access would increase blast radius — the combination should be consciously authorized by the operator.