Skillv1.0.0

ClawScan security

Claude Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 10:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's README-like instructions mostly match a discovery/catalog role, but there are multiple mismatches and a detected prompt-injection pattern (hidden unicode control characters) that make proceeding without caution risky.
Guidance: This appears to be a community skills-directory, but several inconsistencies and a detected hidden-character injection pattern make it risky to use without manual review. Before installing or letting the assistant auto-install anything: 1) Inspect the raw SKILL.md and any referenced repositories (view source on GitHub or download and open in a hex-capable editor) and remove/observe any hidden control characters. 2) Do not paste private or production repository links into chat unless you trust the assistant and repository owner. 3) If you run 'npx clawhub', realize it will execute code from npm — inspect the package (or run in an isolated environment/container). 4) Prefer to manually download and review skill code and run security scans (Snyk, VirusTotal) as the SKILL.md suggests. 5) If you want greater assurance, ask the maintainer for a provenance/release link (GitHub release, signed commit) and avoid automatic installation flows. If you want, I can fetch and show the top entries and highlight any suspicious repo URLs or patterns to help you decide.
Findings: [unicode-control-chars] unexpected: Hidden unicode control characters were detected in SKILL.md. These are not expected for a simple directory file and can be used to hide or alter prompts and instructions that an agent will follow. Treat the file as potentially tampered-with until raw content is inspected.

Review Dimensions

Purpose & Capability: noteThe SKILL.md content describes a skills directory and discovery assistant, which aligns with the stated purpose. However metadata mismatches exist (skill title in registry is “Claude Skill” while the file calls itself "awesome-skills-directory" and a different author/slug are present). The instructions recommend using tools like 'npx clawhub@latest' and automatic 'paste GitHub link and the assistant handles setup' flows — reasonable for a directory skill but not declared in the registry (no required binaries listed).
Instruction Scope: concernThe instructions are broad: they allow the assistant to recommend and provide installation steps and explicitly encourage pasting GitHub repo links and letting the assistant 'handle setup automatically'. That encourages fetching and installing arbitrary community code. The SKILL.md itself contains a detected prompt-injection signal (unicode-control-chars) which could attempt to manipulate agent behavior. The file otherwise does not instruct reading unrelated env vars or system files, but the automatic-install guidance grants the agent wide discretion to fetch and write code.
Install Mechanism: concernThere is no formal install spec in the registry (instruction-only), but SKILL.md recommends installation via 'npx clawhub@latest install <skill-slug>' or copying folders into ~/.openclaw/skills. The skill metadata declares no required binaries (npx/node/npm not listed) — this mismatch is a red flag. The quick-install-by-pasting-GitHub approach implies ad-hoc downloads from arbitrary repositories, which is higher risk when not constrained or audited.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths in metadata. The SKILL.md does not ask for secrets. This is proportionate to a discovery/catalog role.
Persistence & Privilege: okThe skill does not request always: true or system-wide privileges in its registry metadata. The manual install instructions indicate writing files to ~/.openclaw/skills or a workspace when the user explicitly installs a skill — this is expected behaviour for a skills directory and is not inherently privileged.