Skillv0.1.2

ClawScan security

secondme-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 4:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's orchestration and scripts mostly match the stated purpose, but there are mismatches and network dependency risks (npx, remote endpoints, missing dependent script) that require review before use.
Guidance: This package appears to implement the orchestration it describes, but before running it you should: (1) confirm npx and python3 will be available on the runner (scripts expect them); (2) review any code that npx/openpersona will fetch and the contents of the persona-model-trainer's pack_integrate.py (not included here) — these will run arbitrary code; (3) note persona.json enables WebFetch and includes an external gateway URL — ensure you understand and approve any network calls before ingesting sensitive data; (4) run the scripts in an isolated environment (local VM/container) and with test/non-sensitive data first; and (5) ask the publisher for the missing integration script and an explicit list of remote dependencies (npm packages, endpoints) to improve confidence. If you cannot review the remote code that npx will fetch or the pack_integrate implementation, treat this package as higher risk.

Review Dimensions

Purpose & Capability: noteThe skill is an orchestration package for building a 'Second Me' and its files (persona.json, gating scripts, reports) align with that goal. However, the package declares no required binaries yet the scripts clearly require npx and python3 (run-gates.sh checks for them). This mismatch is unexpected and should have been declared in the manifest.
Instruction Scope: concernRuntime instructions operate on local persona.json, generated pack and state files, which is consistent. But allowed-tools and persona.json permit WebFetch and Bash(npx:*, python:*). The scripts call npx openpersona (which will fetch code from npm/registry) and may call pack integration code in another skill (persona-model-trainer) that is not included here. Those networked actions and cross-skill execution broaden scope beyond purely-local file operations and could contact external endpoints or run code you haven't reviewed.
Install Mechanism: noteNo install spec (instruction-only) is lower risk, but the runtime uses npx which will fetch and execute packages at runtime. There are no direct downloads from arbitrary URLs in the repo, but use of npx/openpersona implies dynamic remote code pulls — expected for this purpose but worth auditing.
Credentials: noteThe skill requests no environment variables or credentials, which fits a local-first design. Persona.json contains an external gateway URL (acn-production.up.railway.app) and enables WebFetch — allowed but not justified explicitly by the orchestration docs. No tokens/keys are requested, but network access capability could be used to transmit data unless human approval controls are strictly enforced.
Persistence & Privilege: okalways is false and the skill does not attempt to modify other skills' config or claim elevated or persistent platform-wide privileges. Gate scripts are self-contained and update only pipeline state files in the repo.