Skillv0.82.3

ClawScan security

agent-bom registry · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 3:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local registry lookups and trust checks) is plausible, but the SKILL.md and metadata contradict each other about file-system access and network use — review before installing or granting access to local files or tokens.
Guidance: This skill appears to do what it claims (local registry lookups and trust/SAST checks), but the documentation contradicts itself about reading local files and using networked enrichment. Before installing: (1) inspect the agent-bom package on PyPI or its GitHub source to confirm what files it reads and whether it makes network calls; (2) do not provide an optional SNYK_TOKEN unless you need Snyk integration and trust the package; (3) avoid running scans that target your entire repository (e.g., skill_scan(path='.') ) on sensitive data until you confirm exactly what the tool will read/transmit; (4) consider running the package in a sandbox or review its source code (or Sigstore provenance) before granting it access to local files.

Review Dimensions

Purpose & Capability: noteName/description (MCP server registry, trust assessment, SAST) matches the declared capabilities (registry_lookup, marketplace_check, code_scan). The packaged-registry claim and optional Semgrep/Snyk enrichment are coherent with the stated purpose.
Instruction Scope: concernThe SKILL.md repeatedly states "no network calls needed" and that registry data is bundled and lookups are in-memory, but example commands include skill_scan(path='.') and skill_trust(skill_path='./SKILL.md') which imply reading local files and scanning arbitrary paths. The openclaw metadata both says "no file system access needed" and also lists file_reads: user-provided SKILL.md files — an internal contradiction. Additionally, code_scan and skill_verify (Sigstore provenance) may require outbound network access for enrichment or signature verification even if optional. These inconsistencies mean the skill could read more of the local filesystem or access network services than the top-level claims imply.
Install Mechanism: okThis is an instruction-only skill that points to installing a PyPI package (pipx/pip). No bundled install script or remote archive URLs are embedded in the skill bundle itself. Installing from PyPI is a normal mechanism, but you should review the actual PyPI package/source before trusting it.
Credentials: noteNo required environment variables or credentials are declared; only an optional SNYK_TOKEN is listed for third-party vulnerability enrichment. Requesting an optional SNYK_TOKEN is proportionate to optional Snyk integration, but providing that token would enable network calls to api.snyk.io — only supply it if you trust the package and need the enrichment feature.
Persistence & Privilege: okMetadata shows no persistence, no telemetry, always:false, and autonomous invocation restricted. The skill does not request persistent installation privileges or cross-skill configuration changes.