Skillv1.0.0

ClawScan security

agent-generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 10:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (generating agents and system prompts) matches its content, but the included examples show file I/O and OpenAI API use (without declaring required credentials) and a prompt-injection pattern was detected — these inconsistencies and the ability to generate system prompts raise risk and warrant review before use.
Guidance: This skill appears to be what it claims (an agent/template generator) but contains runnable examples that read/write files and call the OpenAI API even though no credentials are declared. Before installing or using it: (1) don't run example code or paste your API keys into unreviewed templates; (2) treat generated system prompts as untrusted until manually reviewed — they can effectively change agent behavior and can be used for prompt injection; (3) if you plan to let the skill run autonomously, restrict its permissions and require human review/approval of any generated agents or credentials it requests; (4) ask the author why no required env vars are declared despite example code using an OpenAI API key, and request a version that clearly documents credential needs and safe defaults. If you need higher assurance, request a minimal example that omits network calls and file I/O or a version that clearly documents what will run and what secrets are required.
Findings: [system-prompt-override] expected: An agent generator that builds system prompts and templates will naturally include constructs that create or modify 'system' messages; this is expected. Nonetheless, this pattern is a known prompt-injection vector and should be treated as a security hazard when generated prompts are executed or deployed without review.

Review Dimensions

Purpose & Capability: noteThe name and description (agent-generator) align with the SKILL.md: it focuses on template-based agent generation, DSLs, and system-prompt construction. However, the provided example code (references/examples.md) performs filesystem operations and instantiates an OpenAI client with an apiKey, while the skill metadata declares no required environment variables or credentials — this is an inconsistency the author should justify.
Instruction Scope: concernThe SKILL.md instructions are high-level and appropriate for an agent generator. The appended references/examples.md includes runnable TypeScript examples that call OpenAI APIs, construct system-role messages, and read/write files. That example code could be used to send potentially sensitive data to external APIs or to produce system prompts that alter agent behavior (prompt injection). The pre-scan flagged a system-prompt-override pattern in SKILL.md, which matches the generator's function but is also a recognized injection vector.
Install Mechanism: okNo install spec and no code to execute are included by the platform; this is an instruction-only skill and therefore does not install binaries or download remote archives. Low install risk.
Credentials: concernThe skill metadata declares no required env vars, but the example code references an OpenAI apiKey (OpenAI client instantiation). That implies the skill's practical use will require credentials (and potentially other secrets) even though none are declared. The mismatch could lead to accidental credential exposure if users copy/run examples without careful handling.
Persistence & Privilege: noteThe skill does not request persistent/always-on privileges and does not modify other skills. However, its purpose (generating system prompts and scaffolding agents, including self-modifying/adaptive systems) means that if the skill is allowed autonomous invocation, it could be used to produce new agents or prompts that alter runtime behavior. Autonomous invocation is the platform default; this capability increases the blast radius if combined with credential access or lax review of generated prompts.