Skillv1.0.0

ClawScan security

AI Auto Dev · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 3:14 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions request broad filesystem and execution privileges and tell the user to disable safety checks, but the metadata does not declare those requirements—this mismatch and the recommended disabling of approvals are risky and unexplained.
Guidance: This skill instructs Builders to run arbitrary build/test/exec commands and explicitly recommends disabling safety/approval prompts and enabling a 'danger-full-access' sandbox—actions that let automated code run with full filesystem access. The metadata does not disclose these requirements. Before installing or using this skill: - Do not run it on a machine that contains secrets, long‑term credentials, or important data. - Prefer running it only inside an isolated, disposable VM or container with no network access to sensitive services. - Do not accept or apply configs like ask_for_approval='never' or sandbox_mode='danger-full-access' unless you fully trust the Builder source; keep approval prompts enabled. - Manually review every generated spec (specs/TASK-*.md) and run commands yourself if you are unsure; avoid 'run_in_background' and automatic background execution. - Verify any Builder binaries come from trusted sources (official registries) and inspect their ~/.config files before use. - If you lack ability to audit code or run in isolation, avoid installing this skill. The mismatch between declared metadata and the SKILL.md’s runtime demands is a red flag.

Review Dimensions

Purpose & Capability: concernThe skill claims to automate development (PM + Builder). The SKILL.md requires Builders with full filesystem access and the ability to run npx/node/tsc/python, and even references a config path (~/.codex/config.toml) and settings (ask_for_approval='never', sandbox_mode='danger-full-access'). The registry metadata, however, declares no required binaries, env vars, or config paths—an incoherence: the runtime needs are not reflected in the declared requirements.
Instruction Scope: concernInstructions ask the agent/Builder to run arbitrary build/test/exec commands, read and write a progress file (.codex-progress.json), spawn background processes, and explicitly instruct disabling approval prompts and enabling 'danger-full-access'. The SKILL.md effectively grants broad discretion to execute arbitrary code and modify project files; it also encourages removing safety confirmations. While these actions map to 'automated dev' purpose, the instruction set goes beyond narrowly scoped automation and instructs lowering safety barriers.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is written by an installer. However, the doc recommends installing third-party Builders via npm/pip (e.g., @openai/codex, aider-chat) and expects them to be run with full privileges. The lack of declared required binaries in metadata vs. explicit install instructions in SKILL.md is an inconsistency to note.
Credentials: concernMetadata requests no credentials or env vars, but the runtime asks for access to user config (~/.codex/config.toml), full filesystem permissions, and builders configured to bypass approvals. The skill asks for privileges equivalent to system-level access without declaring or justifying any credentials/environment needs—this is disproportionate and opaque.
Persistence & Privilege: concernThe skill does not set always:true, but it instructs making persistent changes to builder config files and to write/modify project state (.codex-progress.json). Critically, it recommends disabling safety prompts (ask_for_approval='never'), which increases the agent's effective autonomy and blast radius. Those persistent safety-lowering changes are a privilege escalation relative to a normal instruction-only skill.