v1.0.0

Neckr0ik Security Fixer

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:36 AM.

Analysis

This fixer matches its security-remediation purpose, but it can automatically rewrite local skill files using an undeclared scanner module and lacks clear path containment.

GuidanceOnly run this on a version-controlled copy of a skill, verify the missing audit/scanner dependency before use, start with --dry-run, inspect diffs carefully, and avoid --auto until path containment and secret redaction are fixed.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/fixer.py

file_path = Path(vuln.file) ... fix.file_path.write_text('\n'.join(new_lines), encoding='utf-8')

The fixer uses the file path supplied by a vulnerability result and writes back to that path; the visible code does not show validation that the path remains inside the requested skill directory.

User impactA bad or unexpected scanner result could cause the fixer to rewrite files outside the intended skill folder.

RecommendationConstrain every vulnerability file path to the resolved skill directory before reading or writing, show a diff, and require confirmation for any path outside the target.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/fixer.py

from audit import audit_skill, Vulnerability, Severity ... sys.path.insert(0, str(Path(__file__).parent))

The script depends on an audit module that is not included in the supplied file manifest and is not declared by the install metadata, yet that module controls which vulnerabilities and file paths are fixed.

User impactThe tool may fail or may rely on an unreviewed local/module dependency to decide what code to modify.

RecommendationBundle or pin the scanner/audit dependency, declare it in the install requirements, and avoid ambiguous imports for security-critical file mutation.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusNote

references/fix-templates.md

def sanitize_for_prompt(text: str, max_length: int = 1000) -> str: ... sanitized = re.sub(r'[<>\{\}\[\]\\]', '', text)

The documentation presents simple character stripping as a prompt-injection fix, which may be only a partial mitigation.

User impactUsers may over-trust automatically generated fixes and assume a vulnerability is fully resolved when manual security review is still needed.

RecommendationLabel generated fixes as templates, require review for prompt-injection changes, and document the limitations of simple sanitization.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

scripts/fixer.py

print(f"  Original: {fix.original_code[:80]}...")

For hardcoded-secret findings, the original vulnerable code may include credential values and can be printed during dry-run output.

User impactSecrets already present in source code could be exposed in terminal logs or reports while the tool is fixing them.

RecommendationRedact detected secret values in dry-run and report output, and avoid storing full vulnerable snippets unless the user explicitly requests them.