Skillv0.1.3

ClawScan security

Nexus Sentinel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 2:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match an SRE monitoring/backup tool, but there are multiple packaging and behavior inconsistencies (missing install spec vs included code, mismatched metadata, an unknown external gateway, and a runtime bug) that warrant caution before installing or providing credentials.
Guidance: Do not install or provide real credentials to this skill yet. Actionable next steps: 1) Ask the publisher to explain the metadata mismatch (registry listing omitted env/binary requirements) and to provide an authoritative install spec. 2) Verify the external service at gateway.maton.ai (who runs it, privacy/security policies) before giving MATON_API_KEY. 3) Fix/inspect code: sentinel.py has a runtime bug (calls undefined get_system_vitals) and the backup/upload flow is incomplete; request or perform a code review. 4) Test in an isolated/staging environment with a limited, revocable credential and network monitoring (so you can see outbound calls). 5) Prefer separate minimal credentials (distinct keys for notifications vs backups) and ensure backups are audited to exclude secrets. If you cannot verify the gateway or the author, treat the skill as unsafe for production.

Review Dimensions

Purpose & Capability: noteThe stated purpose (autonomous SRE agent: monitoring, recovery, backups, notifications) aligns with the code (system vitals, log extraction, notify, backup_file) and the declared dependencies in _meta.json/SKILL.md (docker, pm2, tar, psutil, requests). However the registry-level metadata presented to you earlier said "Required env vars: none" and "No required binaries" which contradicts _meta.json and SKILL.md. That mismatch is a packaging/metadata coherence problem and may hide unexpected requirements.
Instruction Scope: concernSKILL.md instructs the agent to run sentinel.py analyze before restarts, to avoid including .env/secrets in backups without explicit approval, and to install packages if missing — all reasonable for an SRE tool. Concerns: (1) SKILL.md requires MATON_API_KEY, NEXUS_REPORT_CHANNEL, and NEXUS_BACKUP_PATH but the registry listing omitted these, so the runtime will expect secrets the registry didn't advertise; (2) the implementation references an external API gateway (https://gateway.maton.ai) for notifications/uploads — an external service not documented elsewhere; (3) the code enforces a simplistic sensitive-file filter (pattern matching names like "key"/"token") which is error-prone and could produce false negatives/positives; (4) the sentinel.py has a clear runtime bug: main() calls get_system_vitals() but only get_system_report() is defined, so status commands will crash.
Install Mechanism: noteThere is no formal install spec (no downloads/install script) so risk of arbitrary remote code install is low. However the skill contains a Python file that expects local binaries (docker, pm2, tar, curl) and Python packages (psutil, requests) and instructs the agent to offer installing them. Suggesting or automating package installation increases risk if done without review. No external archives or short/unknown URLs are fetched by the skill itself, but it does call out to an external API gateway for network operations.
Credentials: concernThe skill requires sensitive credentials (MATON_API_KEY) plus a WhatsApp target and a backup folder ID for uploading backups. Those are plausible for notifications and remote backups, but: (1) the top-level registry showed no env requirements while SKILL.md/_meta.json do — inconsistent disclosure; (2) a single MATON_API_KEY appears to be used both for WhatsApp relay and GDrive upload via a third-party gateway — combining capabilities under one credential increases risk if that gateway is compromised; (3) the backup_file implementation never performs the upload in included code (returns status ready_for_upload), which leaves unclear how uploads actually occur and whether other secrets/paths would be used.
Persistence & Privilege: okThe skill does not request always:true and does not request unusual platform privileges. _meta.json declares filesystem read/write and outbound network plus commands (docker, pm2, tar) which match the claimed purpose. Autonomous invocation is allowed (platform default) but that, by itself, is expected for an autonomous SRE skill.