Skillv1.0.0

ClawScan security

RUNE Prompt Amplification · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 8:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions and packaged metadata disagree about required secrets and sources (it sources ~/.secrets and expects a local RUNE repo/wand.py), and there are inconsistent repo URLs — this looks like sloppy packaging or possible misdirection and warrants manual inspection before use.
Guidance: Do not install or run this skill until you verify a few things: 1) Confirm which repository is authoritative (neurabytelabs vs mrsarac) and review the wand.py source in that repo — look for network calls, code that reads arbitrary files, or that sends environment variables/contents elsewhere. 2) Do not blindly append your API key into ~/.secrets; storing multiple secrets in a shared plain-text file increases exposure. Prefer exporting RUNE_API_KEY only in the current shell or using a dedicated, tightly-scoped secret file. 3) Inspect package.json and SKILL.md inconsistencies; if metadata supplied to the registry says no env are needed but runtime instructions do, treat that as a red flag. 4) If you must test, run the skill in an isolated environment (VM/container) and audit network traffic to confirm wand.py only communicates with expected endpoints. 5) If you are not comfortable reviewing wand.py or the cloned repo, avoid installing the skill.

Review Dimensions

Purpose & Capability: concernThe skill claims to amplify prompts via a local RUNE 'wand.py' and an API key; that capability justifies needing Python and a RUNE API key. However the registry metadata provided to OpenClaw lists no required env/files, while SKILL.md and package.json both require RUNE_API_KEY and ~/.secrets and a local RUNE repo. There is also a mismatch in repository URLs (homepage/neuraByte repos vs SKILL.md clone URL pointing to mrsarac/master-prompts). These inconsistencies are unexpected and unexplained.
Instruction Scope: concernRuntime instructions tell the agent/user to source ~/.secrets (loading whatever variables are in that file), to clone an external repo, and to run a local Python script (wand.py). Sourcing ~/.secrets can expose unrelated credentials if that file contains more than the single API key. The SKILL.md clone URL differs from other repo references (neuraByte vs mrsarac), which increases risk because the code you run may come from a different source than advertised.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces installer risk. But the skill depends on a locally cloned repo and executing its wand.py; that transfers risk to whatever code is in the external repository you clone. package.json lists python_packages (requests) but the SKILL.md does not provide an install step for Python deps — a packaging inconsistency.
Credentials: concernRequesting a single RUNE_API_KEY is proportionate to the described purpose. However the skill requires the API key to be placed in ~/.secrets and the script sources that file — this could expose multiple secrets if that file holds other credentials. Additionally, registry metadata omitted these environment/file requirements, which is an incoherence that increases suspicion.
Persistence & Privilege: noteThe skill does not request always:true or other elevated persistence and is user-invocable only. That is appropriate. Still, because the script sources ~/.secrets and executes wand.py from a local repo, it will have whatever local-read privileges that file and repo allow (it can read any files the running user can read via the invoked Python script).