Skillv0.82.3

ClawScan security

agent-bom runtime · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 3:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches a runtime-audit helper, but the SKILL.md refers to Python package functions and optional endpoints without providing code, an install manifest, or explicit env-var names—this mismatch warrants caution.
Guidance: This SKILL.md reads like documentation for an external Python package rather than a self-contained skill. Before installing or enabling it: 1) Inspect the referenced PyPI/GitHub package (https://github.com/msaad00/agent-bom and PyPI page) to verify source code, release artifacts, and what env vars it actually uses (especially ClickHouse and kubectl integrations). 2) Confirm how the agent will obtain the package—automatic pip installs run arbitrary package code at install time; prefer installing into an isolated environment (pipx or a virtualenv) and reviewing package contents first. 3) If you plan to provide audit logs or a ClickHouse endpoint, make sure credentials are scoped and stored safely (do not expose cluster-wide kubeconfigs or broad DB credentials). 4) Ask the skill author (or check repo) for explicit env var names and a clear install manifest; if those are added (or the skill bundles its implementation), reassess. Given the current mismatch between claimed tools and the lack of bundled code/install spec, proceed cautiously.

Review Dimensions

Purpose & Capability: noteThe name/description (runtime security monitoring, context graphs, audit correlation) aligns with the declared capabilities. However, the SKILL.md repeatedly references an external Python package (agent-bom) and callable tools (context_graph, runtime_correlate, analytics_query) while the registry entry provides no code files and no install spec—so the skill is only documentation describing capabilities that depend on an external package.
Instruction Scope: concernInstructions say the tool operates only on in-memory scan results and user-provided audit log files (JSONL) and claims 'no automatic file discovery' which is good. But the SKILL.md also instructs installing the agent-bom package via pipx/pip and shows function-like invocations (context_graph(), runtime_correlate(...)). Because there is no bundled implementation, it's unclear whether the agent is expected to import/run external code, install packages, or simply follow high-level guidance. The agent could attempt network installs or run code not present in the skill, which expands the runtime scope beyond the skill's contents.
Install Mechanism: noteThere is no formal install spec; the document suggests installing via pipx or pip (and lists a PyPI URL). That is a legitimate, common pattern, but the registry lacks an automated install entry. This mismatch means the agent or user must perform an installation step outside the skill—if done automatically it would fetch code from PyPI/GitHub (network download). The absence of an explicit install manifest in the skill is an integrity/traceability gap.
Credentials: concernThe skill declares 'Zero credentials required' and lists no required env vars, which is consistent with the description. However, it refers to an optional ClickHouse endpoint and optional kubectl usage without declaring the env var names or how credentials would be supplied. That omission makes it unclear what secrets (ClickHouse URL, DB creds, kubeconfig access) the package might request when actually installed and configured.
Persistence & Privilege: okSkill metadata shows always: false and autonomous_invocation restricted. The skill declares no persistence, no telemetry, and no privilege escalation. There's no indication it would demand permanent presence or system-wide configuration changes.