Skillv0.1.0

ClawScan security

SkillScout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 28, 2026, 6:59 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: SkillScout's stated purpose (catalog and security reviews) generally matches the repository, but there are several mismatches and undisclosed operational details — notably undocumented runtime dependencies, external endpoints, and scripts that fetch and write code — that warrant caution before running anything from this project.
Guidance: What to consider before using or installing SkillScout: - Treat the repo as potentially active code: although SKILL.md is brief, the project includes scripts and a server package that will fetch code and write files. Do not run anything blindly. - SKILL.md examples use curl, python3, and npx, but the registry metadata lists no required binaries. If you plan to follow examples, ensure those tools are available and inspect any remote URLs first. - The catalog is hosted on an external static site (https://nashbot67.github.io/...). Verify you trust that domain and the JSON it serves before piping it into commands. If possible, fetch and inspect the JSON locally instead of executing it immediately. - The project claims an isolated, read-only review agent, but the repo contains fetch-and-write scripts — confirm how the review agent is actually invoked and whether network access is used in your environment. - If you want to run the MCP server (npx @skillscout/mcp): inspect the package on npm (confirm publisher identity), review its code, and run it in a sandbox or ephemeral environment first. - Prefer manual code review of the scripts (fetch-skill.sh, review-skill.sh, harden-skill.sh, mcp-server) before executing them. Look for any commands that download archives, run installs, or execute unverified code. If you want, I can: - List the exact shell commands and files in the repo that perform network or filesystem operations. - Extract and show the curl/npx/python usage lines so you can inspect the remote endpoints before running them. - Suggest a safe sequence to test the tool in a sandbox (Docker container) and what to watch for.

Review Dimensions

Purpose & Capability: noteThe name/description (find and evaluate skills) aligns with the included files: a static-site dataset, review templates, an MCP server, and helper scripts for fetching and reviewing skills. However the SKILL metadata claims 'instruction-only' and lists no required binaries/env, while SKILL.md and the repo clearly rely on external tooling (curl, python3, npx) and network-hosted JSON (nashbot67.github.io). That omission is an incoherence the user should know about.
Instruction Scope: concernSKILL.md itself gives simple on-the-wire usage (curl → parse JSON, and 'npx @skillscout/mcp'). The repository contains many scripts (fetch-skill.sh, review-skill.sh, harden-skill.sh, batch-review.sh) that perform network fetches and write files; those behaviors are not reflected in the minimal SKILL.md or metadata. The ARCHITECTURE.md claims a read-only, no-network review agent, but the surrounding scripts indicate the project fetches remote skill sources and writes artifacts to disk — this is scope creep vs the runtime instructions shown to users.
Install Mechanism: noteThere is no declared install spec (lowest-risk surface), but SKILL.md recommends running 'npx @skillscout/mcp' and uses curl/python3 in examples. Running the MCP package (if you do) would execute code pulled from npm; the repository also contains server code (mcp-server) and scripts that download and write files. Absence of an explicit install section and missing declaration of required tools is inconsistent and increases operational risk if users execute the provided commands without inspection.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate for a read-only catalog. But the catalog and scripts reference external APIs and processed skills that themselves may require credentials (the included skills.json entries show many skills with 'credentials' permissions). The SkillScout package does not request secrets up front, but running its scripts or the MCP server could lead you to provide API keys for downstream skills — be mindful those are for the target skills, not SkillScout itself.
Persistence & Privilege: concernalways:false (good). Still, multiple examples and scripts in the repo show writing files to user locations (e.g., creating ~/.config/... for reviewed skills). If you run the provided scripts or the MCP server they may persist downloaded skill artifacts and fetched docs locally. The SKILL metadata did not surface that behavior — users should expect the tool to write files and to run network operations if they invoke it.