Skillv0.3.0

ClawScan security

Skill Reviewer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 1:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent as a local skill-auditor, but there are mismatches between its stated target locations and what its scripts actually check, and it hard-depends on an external 'skill-creator' skill — these inconsistencies warrant caution before installing or running it.
Guidance: This skill appears to be a local reviewer that runs bundled scripts and calls an external 'skill-creator' skill for deep content checks — there are three practical things to consider before using it: 1) Directory/layout mismatch: The SKILL.md text says it targets .claude/commands/ files, but validate.sh looks for skills/*/SKILL.md. If your skills live in .claude/commands/ the provided scripts won't find them unless you move or adapt files. Confirm the repository layout you intend to scan. 2) External dependency: The audit requires a 'skill-creator' skill for content-quality checks and explicitly instructs you to halt if it's missing. Verify that 'skill-creator' is available in your agent environment, and be prepared to run that step manually or accept that the audit will be incomplete without it. 3) Script scope and false positives: quick_validate.py implements a very small YAML frontmatter parser and enforces a strict set of allowed frontmatter keys and naming rules. This can produce false positives for skills that validly use other metadata keys or different layouts. Review failing messages before assuming they indicate malicious content. Operational safety tips: - Run the scripts in a controlled checkout (not on a sensitive system) to verify behavior. - Inspect the scripts (they're short and included) to confirm they won't execute network calls; they do not fetch remote code. - If you plan to run this on a CI or shared environment, ensure python3 and a POSIX shell are available and that the repo layout matches what validate.sh expects. Given these mismatches and the hard dependency on another skill, the package is coherent enough to use with care but has enough surprising behaviors to label it 'suspicious' rather than 'benign.'

Review Dimensions

Purpose & Capability: concernThe skill's name/description says it audits Claude Code skills stored under .claude/commands/, but the included validate.sh iterates over skills/*/SKILL.md (npx-style layout). That mismatch means the provided tooling won't scan the location claimed in the description without moving files or changing the repo layout. Otherwise the declared capabilities (structure validation + content quality delegation + compatibility checklist) align with the provided scripts and checklist document.
Instruction Scope: noteSKILL.md instructs the agent to run the local validate.sh and to invoke an external 'skill-creator' skill for content-quality checks. validate.sh runs local scripts (quick_validate.py) against repository paths — reasonable for a repo-local audit — and SKILL.md explicitly forbids skipping the skill-creator step. It does not tell the agent to read or exfiltrate secrets or network endpoints. However, the manuscript requires the skill-creator skill be present and insists on halting if it's not; that strong dependence is a behavioral constraint the user should understand.
Install Mechanism: okThere is no install step that downloads remote code. All code is shipped with the skill (validate.sh and quick_validate.py). The scripts are self-contained, resolve their own directory, and do not fetch remote artifacts. This is low risk compared with remote install URLs.
Credentials: okThe skill declares no environment variables, no credentials, and requests no config paths. The scripts require python3 and a POSIX shell environment, which is proportionate to running local validation scripts. There are no secret-looking env var requirements.
Persistence & Privilege: okalways:false (default) and no behavior that modifies system-wide agent settings is present. The skill executes local scripts only when invoked; it does not request permanent inclusion or elevated privileges.