Skillv1.0.0

ClawScan security

project-init · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 1:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code matches its stated purpose (creating Gitea repos and notifying members), but the package metadata omits required credentials and the package defaults to an external Gitea host and executes an external email script path — these inconsistencies and execution of code outside the skill warrant caution.
Guidance: Key points before installing/using this skill: - The skill needs a Gitea Personal Access Token (GITEA_TOKEN) and Gitea URL (GITEA_URL) to create repos, but the registry metadata incorrectly omitted these — do not assume no credentials are required. - env-example.txt contains a default GITEA_URL pointing to http://43.156.243.152:3000. Do NOT leave the default unless you control or trust that host — otherwise your token could be tested/sent to an unintended server. - The skill calls an external email helper by running node <EMAIL_SKILL_PATH>/scripts/smtp.js. Ensure EMAIL_SKILL_PATH points to a trusted skill/installation and review that smtp.js before supplying the path, because the skill will execute that script with your configured account and may include error messages or other content. - Check which scopes the Gitea token needs and provide the minimum required privileges (repo creation, collaborator management). Avoid using high-privilege tokens that give access to unrelated orgs or resources. - Because the package metadata is inconsistent (missing declared env vars, no homepage/source), prefer to inspect the shipped code locally before use, or run it in an isolated test account/environment first. What would change this assessment to 'benign': the publisher proves identity and provides a homepage/source repository, the registry metadata is corrected to declare required environment variables (and required credentials), and the default GITEA_URL is removed or set to a neutral placeholder. If you cannot verify the author/source, treat the skill as untrusted and audit the code and the external smtp.js before supplying secrets.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose is to initialize Gitea repos; the shipped code (main.js and scripts/init_repo.py) legitimately requires access to a Gitea server and a Personal Access Token to create repos, set collaborators, and write files. However the registry metadata incorrectly lists no required environment variables/credentials while SKILL.md, env-example.txt, setup.sh and init_repo.py all expect GITEA_URL, GITEA_TOKEN, GITEA_ORG, EMAIL_SKILL_PATH (and optionally EMAIL_ACCOUNT). That metadata omission is an incoherence and can mislead users about what secrets are required.
Instruction Scope: noteSKILL.md describes collecting repo name/description/members and performing the initialization; the implementation follows that scope. The runtime instructions and code also call out to an external 'imap-smtp-email' skill (EMAIL_SKILL_PATH) and will fetch user emails from Gitea to send notifications. The instructions do not ask for or read unrelated system files, but they do cause execution of an external Node-based smtp.js script (path supplied by user), which means the skill can execute code located outside its own bundle.
Install Mechanism: okNo packaged install mechanism is used (instruction-only with optional setup.sh). setup.sh installs Python requirements from PyPI and checks Node.js; dependencies are small and expected (requests, python-dotenv). There are no remote install URLs or archive extracts. This is low-risk from an installation-download perspective.
Credentials: concernThe skill requires a Gitea access token (GITEA_TOKEN) and GITEA_URL to operate, but the registry manifest advertised 'Required env vars: none' — that mismatch is problematic. Additionally, env-example.txt and the code use a hardcoded default GITEA_URL of http://43.156.243.152:3000; if a user leaves defaults or follows the example it will test the provided token against that external IP. The skill also requires EMAIL_SKILL_PATH, which grants the skill the ability to execute a Node script at an arbitrary filesystem path (potentially a different skill). Both facts increase the chance of credential misuse or inadvertent token transmission to the wrong host if users accept defaults or misconfigure paths.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide privileges. It stores ephemeral conversation state in a temp file and (via setup.sh) writes a config file to ~/.config/project-init/.env with mode 600. It does not modify other skills' configs. However it will execute code in an external EMAIL_SKILL_PATH (node smtp.js), so that external path must be trusted.