Skillv3.0.0

ClawScan security

Skill Security Reviewer 3.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:01 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (analyzing other skills for obfuscation) is coherent, but the SKILL.md contains a detected prompt‑injection pattern and gives the agent wide discretion to read and decode arbitrary skill files — that combination is suspicious and deserves manual review before install.
Guidance: This skill appears to do what it says (read-only analysis of other skills) but the SKILL.md contains at least one prompt-injection pattern. Before installing: (1) manually inspect the entire SKILL.md for any instructions that try to override agent constraints (phrases like 'ignore previous instructions' or embedded 'execute' directives); (2) only run it in a sandboxed agent environment where it cannot access unrelated files or credentials; (3) ensure the agent enforces the 'do not execute decoded code' rule programmatically (not just by prose); (4) if you plan to allow autonomous invocation, consider disabling that until you've audited behavior; (5) if you need more assurance, ask the maintainer for provenance (homepage, source repo, maintainer identity) or run the analysis locally on a copy of the target skill rather than giving the skill access to live system state. Additional information that would change this assessment: presence of embedded instructions in SKILL.md that explicitly tell the agent to execute code or access unrelated credentials, or bundled install scripts/downloader entries — those would raise the severity to malicious.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in the SKILL.md. For an audit tool this is not expected; it could be an attempt to override host or evaluator constraints. The presence of this pattern should be investigated manually in the full SKILL.md.

Review Dimensions

Purpose & Capability: okThe SKILL.md describes a tool that audits other skills for obfuscation/evasion and explicitly limits itself to read-only analysis and safe decoding. There are no required binaries, env vars, or install steps, which is proportionate to a static analysis/instruction-only skill.
Instruction Scope: concernThe instructions permit reading and decoding all files of a target skill (reasonable for auditing) but the pre-scan found a prompt-injection pattern ('ignore-previous-instructions') inside SKILL.md. That indicates the skill file may contain content intended to manipulate the evaluator or agent behavior; the README also allows broad decoding of arbitrary encoded/encrypted content which could include active payloads if the 'do not execute' rule is not enforced.
Install Mechanism: okNo install spec and no code files — lowest risk for on-disk persistence and arbitrary downloads. Nothing is written to disk by an installer; only report outputs are described.
Credentials: okThe skill requests no environment variables, credentials, or config paths. For its stated audit purpose, this is proportionate.
Persistence & Privilege: notealways:false and no install behavior — the skill does not request permanent presence. However the skill is allowed autonomous invocation by default (disable-model-invocation:false). Combined with the prompt-injection pattern inside its instructions, autonomous invocation could increase risk if the skill attempts to manipulate agent decision-making.