Skillv1.0.0

ClawScan security

project-assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 7:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (project init/analysis), but there are red flags — a prompt-injection pattern in SKILL.md and analysis modules (env_scanner / Feishu integration) that could read, persist, or transmit sensitive data that the manifest doesn't explicitly call out.
Guidance: Before installing or enabling this skill: 1) Inspect SKILL.md, scripts/feishu_doc_manager.py and scripts/analyzers/env_scanner.py to understand what data is read, logged, or transmitted. 2) Be cautious storing any API tokens or secrets: the skill stores config in config.json (cross-session) and supports Feishu tokens — only add tokens if you trust the code and destination. 3) If you plan to run it on sensitive repositories, run it in a sandbox or on a copy without secrets (or remove .env and credentials first). 4) Remove or review any unicode/control characters in SKILL.md (they could be a prompt-injection artifact). 5) If you need guarantees about data exfiltration, require explicit declarations of external endpoints and audit the network behavior of feishu_doc_manager before providing tokens. If you want me to, I can scan the specific files (feishu_doc_manager.py, env_scanner.py, qa_doc_manager.py) and summarize any external network calls, data serialization, or obvious secret-handling code.
Findings: [unicode-control-chars] unexpected: Unicode control characters were detected inside SKILL.md. This pattern is commonly used in prompt-injection attempts to alter how the agent interprets instructions. Even if accidental, it should be inspected and removed or explained.

Review Dimensions

Purpose & Capability: noteName/description align with the included code: the repo contains many Python scripts for detection, analyzers, QA document management and Feishu integration and the skill only requires python3. However README/SKILL.md mention Feishu tokens (feishu.doc_token, etc.) and cross-session config storage (config.json) but the skill's declared requirements list no environment variables — the feature is supported via stored config rather than explicit declared env vars. That's plausible but worth calling out because credentials may be stored in config.json rather than passed as env vars.
Instruction Scope: concernSKILL.md instructs the agent to scan a project directory, read and update .claude/project.md, run many local analyzers (detector, cache manager, qa_doc_manager, feishu_doc_manager, env_scanner, call-chain analyzer). Those analyzers can read arbitrary project files (including .env, config files, source) and the env_scanner module is present, which may detect/expose environment variables or secrets. SKILL.md also contains detected unicode-control-chars (prompt-injection) which could be an attempt to influence runtime behavior. The instructions do not explicitly warn users about scanning for secrets or external transmission of generated reports.
Install Mechanism: okNo install spec (instruction-only) and required runtime is just python3. Code is provided with the skill (many Python scripts) and will be executed locally; there is no suspicious remote download/install mechanism in the manifest.
Credentials: noteThe skill declares no required environment variables (good), but supports storing arbitrary configuration (config.json) and references Feishu integration in README/SKILL.md. Feishu tokens are referenced in docs (feishu.doc_token, etc.) and could be stored in config.json via the config_manager. The ability to store arbitrary custom keys (custom.*) means secrets could be persisted across sessions; this is functionally coherent but sensitive and not made explicit in the top-level requirements.
Persistence & Privilege: okalways:false (normal). The skill persists configuration to config.json in its baseDir (documented) to enable cross-session settings. It does not request global system modifications or 'always' inclusion. However cross-session stored config can contain tokens/keys — the skill is allowed to persist data within its own directory.