Skillv1.0.0

ClawScan security

Securitysuite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 8:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is plausibly a local security-scanner service, but its declared install/requirements don't match the code (undeclared imports), and a prompt-injection pattern was detected in the SKILL.md, so the bundle is internally inconsistent and needs closer review before use.
Guidance: This package appears to implement a local FastAPI-based security scanner — that matches its description — but the bundle is incomplete: the code imports products.promptguard, products.skillscan, and products.scopecheck which are not included in the package or listed in the install metadata. Before installing or running it, verify that (a) the missing 'products.*' dependencies are provided (or the package author publishes them), (b) the install metadata is corrected to list all PyPI packages required, and (c) you run the service in a sandboxed environment because pip installs can execute arbitrary code. Also review the source files yourself (or ask the author for a verified source/homepage) and be aware SKILL.md contains a prompt-injection test string — this is expected for an auditor but treat any input to the running server as untrusted data. If you want to proceed only after these checks pass, consider running the code in an isolated container and verifying pip packages come from trusted registries.
Findings: [ignore-previous-instructions] expected: A prompt-injection pattern was detected in SKILL.md. For a security scanner that catalogs injection patterns, presence of such strings is plausible (catalog examples or detection tests). Still, any code that ingests untrusted skill content should sanitize inputs; the detection itself is not conclusive of malice.

Review Dimensions

Purpose & Capability: noteName, description, SKILL.md examples, and the FastAPI endpoints in the code are consistent with a local security/audit service. However, the Python code imports modules under products.* (products.promptguard, products.skillscan, products.scopecheck) that are not provided in the file manifest or declared in the install metadata, which means the bundle as published is incomplete or mis-declared.
Instruction Scope: okSKILL.md instructions are limited to starting a local uvicorn server and sending SKILL.md or text to the server for scanning/audit/batch operations. The examples explicitly read local SKILL.md/skill files and send them to the local server (expected for an auditor). No instructions ask the agent to read unrelated system files or exfiltrate secrets, though the SKILL.md does contain text that matched a prompt-injection detector (see scan_findings_in_context).
Install Mechanism: concernInstall metadata indicates pip-installable dependencies (fastapi, uvicorn, pydantic, pyyaml) which is reasonable. But the code depends on additional modules under products.* that are not declared or included; runtime will fail unless those packages are present. The registry's single install entry shows an id/kind 'uv' which is unusual and may be a packaging/metadata error. No external downloads or obfuscated install URLs are present.
Credentials: okThe skill declares no required environment variables or credentials, and SKILL.md doesn't request secrets. The reporter code warns about env access when it is detected in audited skills, which is appropriate. No disproportionate credential requests are present in the bundle itself.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent platform privileges. It runs as a local server when started and does not modify other skills or system configs in the provided code.