Skillv0.82.3

ClawScan security

agent-bom scan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 3:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local scanning of agents, images, and SBOMs) matches the files and network endpoints it lists, but it instructs the agent to read many local config/mcp files that commonly contain credentials or secrets — and because this is an instruction-only skill the claimed sanitization can't be enforced from the skill bundle alone.
Guidance: This skill appears to be what it says (an on‑host scanner) but it instructs the agent to read many local MCP/agent/project config files that often contain secrets. Before installing: (1) confirm the skill bundle comes from a trusted source (inspect the upstream GitHub repo and the code, especially the sanitize_env_vars implementation referenced in the metadata), (2) run the scanner in an isolated environment or container if possible, (3) avoid running it on machines with sensitive credentials you can't afford to expose, and (4) review any files listed under file_reads to understand what will be accessed. Because this is instruction-only, you should verify the actual agent-bom code (pip package or GitHub source) to confirm the claimed local-only data flow and sanitization behavior.

Review Dimensions

Purpose & Capability: noteThe name/description (agent supply-chain and blast‑radius scanning) align with the things the skill enumerates: package CVE lookups, image scanning, Sigstore verification, and discovery of agent/MCP configuration files. Asking to read MCP and project-level config files is coherent for discovering agents and mapping blast radius.
Instruction Scope: concernSKILL.md (metadata) explicitly lists many local config paths (~/.config, ~/Library/Application Support, project .mcp.json, etc.) that the skill will read. Those files can contain tokens, credentials, or other sensitive data. The skill claims to sanitize env vars and keep scanning local-first, but because this is an instruction-only skill (no code included in the bundle) the claim cannot be audited here and the instructions grant broad local file read scope.
Install Mechanism: okThere is no install spec in the bundle (instruction-only). The project recommends installing via pipx/pip or using the project's Docker image; those are standard distribution channels and appropriate for this tool. No arbitrary download URLs are embedded in the skill.
Credentials: concernThe skill declares no required env vars or credentials, which is consistent with its metadata. However it also declares a long list of config files to read — several (Snowflake, Copilot, CLI configs) commonly hold credentials or tokens. That broad local access is disproportionate to an agent skill unless the user explicitly consents and understands what will be read. The sanitization claim helps but cannot be validated from this instruction-only package.
Persistence & Privilege: okThe skill does not request 'always: true' or persistence. autonomous invocation is listed as restricted in the metadata. It does not ask to change other skills' configs or system-wide settings.