Skillv1.0.0

ClawScan security

Neckr0ik Automation Templates · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 11:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package appears to be what it says: a collection of automation templates and a small Python script to list/get/generate them — there are a few minor mismatches between the docs and file layout but nothing that indicates covert or disproportionate access to secrets or systems.
Guidance: This package looks like a legitimate templates bundle, but note a few practical issues before installing/using it: 1) The SKILL.md refers to a CLI 'neckr0ik-automation-templates', a templates/ folder, and scripts/generator.py that are not present — you'll likely need to run scripts/templates.py directly or add an entrypoint yourself. 2) The templates contain placeholders for API keys and webhook URLs; never paste production secrets into files or public places — prefer using platform secrets/password stores or environment variables in the target automation platform. 3) Inspect the templates (open the JSON objects in scripts/templates.py or any template files) to ensure no unexpected external endpoints or hard-coded secrets are present before importing into your automation platform. 4) If you need the documentation to match the package, ask the author for a proper install/entrypoint and the missing templates/ generator files. If you want extra caution, run the script in a local/sandbox environment and review all template contents before use.

Review Dimensions

Purpose & Capability: noteName/description match the included artifacts: templates described for n8n/Make/Zapier and a Python script (scripts/templates.py) that embeds template data and provides list/get/search/generate functionality. Minor inconsistencies: SKILL.md and 'See Also' reference a templates/ directory and scripts/generator.py, but the package contains an embedded TEMPLATES dict in scripts/templates.py instead of separate template files or a generator.py entrypoint. The claw.json dependency on pyyaml is reasonable for templates. These mismatches look like sloppy docs/packaging rather than malicious intent.
Instruction Scope: noteSKILL.md only instructs the agent/user to list, get, search, and generate templates and to copy/paste resulting workflow JSON into the target automation platform. It does not instruct reading unrelated system files or exfiltrating data. However, the documentation assumes a CLI named 'neckr0ik-automation-templates' that is not provided by an install spec—so runtime instructions may not work as-written without the user creating an entrypoint. The docs also tell users to populate API keys/webhook URLs in templates (expected), so users should avoid pasting real secrets into public/unsandboxed locations.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk. The package does include a Python script and a declared dependency on pyyaml; there is no remote URL download or archive extraction. The missing install/entrypoint means the CLI commands referenced in SKILL.md are inconsistent with the provided files — likely a packaging/documentation oversight rather than an install-related threat.
Credentials: okThe templates include placeholders for API keys and webhooks (Slack webhook, Airtable API key, Google Sheet IDs, etc.), which is expected for automation templates. The skill does not request environment variables, credentials, or config paths from the agent itself. No unrelated secrets or credentials are required by the package.
Persistence & Privilege: okFlags show always: false and normal user-invocable/autonomous settings. The skill does not request permanent presence or elevated privileges, nor does it attempt to modify other skills or system-wide settings.