Skillv1.0.2

ClawScan security

Agent-manager-for-AI-planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 12:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package contains a coherent agent-orchestration server that matches its description, but the registry metadata and install spec are inconsistent with the actual bundle (many config/env options and executable code are included) and the service can send run data outbound if allowlists are misconfigured — review configuration, secrets, and outbound controls before using.
Guidance: What to consider before installing/running this skill: - Metadata mismatch: although the registry lists no required env vars and says 'instruction-only', the archive includes a full Node.js service (package.json, src/, tests). Treat it as executable code — review the source and run it in an isolated environment first. - Secrets and API keys: the service accepts provider keys (GATEWAY_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY) and per-tool auth via TOOL_AUTH_<REF>. Only set the minimum keys you need and avoid placing high-privilege secrets in the skill's environment. - Outbound network risk: the server can make outbound HTTP requests for providers and callback tools. By default outbound is blocked until you configure allowlists, but misconfiguration (OUTBOUND_ALLOW_ALL=true or overly broad OUTBOUND_ALLOWLIST/OUTBOUND_HOST_ALLOWLIST or TOOL_CALLBACK_ALLOWLIST) could permit exfiltration of task inputs/artifacts. Keep allowlists strict and prefer explicit host entries. - Enable access controls: set REQUIRE_RUN_TOKEN=1 and populate RUN_TOKENS to avoid anonymous runs in shared deployments. Disable tool registration (ENABLE_TOOL_REGISTER/ENABLE_TOOL_REGISTRATION) unless you need it and trust registrants. - Telemetry: enable REDACT_TELEMETRY (mode hash or truncate) if you will share replay/report artifacts outside a trusted environment. - Run in isolated environment first: build and exercise tests (npm ci; npm run test) and run behind a firewall or in an isolated network to verify outbound behavior and that private addresses are blocked as expected. If you want, I can: - flag the exact files/lines that reference sensitive env vars and external network calls, - produce a short checklist of environment settings to safely deploy in production, - or extract the code paths that perform outbound resolution and tool callback invocation for deeper review.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement an orchestration API (plan, run, events, replay, provider adapters, tool callbacks) consistent with the name/description. However the registry metadata states 'required env vars: none' and 'instruction-only', while the package contains a full Node/TypeScript server and numerous configurable environment variables (GATEWAY_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, OUTBOUND_ALLOWLIST, TOOL_AUTH_*, etc.). This mismatch between metadata and the code/bundle is an incoherence the user should be aware of.
Instruction Scope: okSKILL.md is narrowly scoped to the service's API and operational guidance (endpoints, token header X-Run-Token, allowlists, redaction). It does not instruct the agent to read unrelated local files or exfiltrate secrets. The documentation explicitly warns that task inputs/artifacts may be sent outbound when gateways or callback tools are enabled.
Install Mechanism: concernThe registry claims 'No install spec / instruction-only', but the bundle contains full source, package.json, and tests. There is no declared install script in the skill manifest; installing/running will require npm (node >= 20) and will write/execute code locally. The absence of an explicit install step in metadata while shipping executable code is an inconsistency worth flagging.
Credentials: noteThe service legitimately exposes many configuration variables for providers, allowlists, timeouts, and redaction (GATEWAY_URL, GATEWAY_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, OUTBOUND_ALLOWLIST, TOOL_CALLBACK_ALLOWLIST, TOOL_AUTH_<ref>, etc.). These are proportionate to an orchestration gateway, but the registry metadata does not declare them as required. Because the service can forward task inputs to external hosts (when allowlisted), any provider API keys or TOOL_AUTH_* secrets set in the environment could be used by the service — ensure only minimal needed credentials are provided and that permissive allowlist flags (OUTBOUND_ALLOW_ALL) are disabled in production.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills' configs. It persists runs only if configured (PERSIST_RUNS) and exposes standard API controls for token enforcement. Autonomous invocation is allowed by platform default but not uniquely elevated here.