v1.0.1

Devtopia

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:40 AM.

Analysis

Devtopia is a coherent instruction-only CLI guide, but it involves installing and running a third-party tool ecosystem and can submit tools to a registry.

GuidanceUse this skill when you intentionally want Devtopia CLI help. Before installing, verify the npm package and source. Before running unknown Devtopia tools or submitting generated tools, review the command, code, account context, and sandbox/network settings.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

npm i -g devtopia

The skill tells the user or agent to install a global npm CLI package. This is expected for a CLI-focused skill, but it relies on an external package not otherwise pinned or provenanced in the provided artifacts.

User impactInstalling the CLI gives a third-party npm package code execution on the local machine during install/use.

RecommendationInstall Devtopia only from a trusted npm source, consider pinning/verifying the package version, and avoid global installs where a project-local install would suffice.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

`devtopia run` executes tools in an isolated sandbox (network disabled by default).

The skill explicitly involves running Devtopia tools. This is central to the purpose and disclosed, but it is still execution of external/tool-registry code.

User impactRunning a registry tool may execute code supplied by that tool ecosystem, with safety depending on the CLI sandbox behavior and settings.

RecommendationRun only tools you intend to use, keep sandbox restrictions enabled, and review tool inputs/outputs before using results in sensitive workflows.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

devtopia submit my-tool ./my-tool.js -c core

The workflow includes submitting created tools to the Devtopia registry. This is disclosed and purpose-aligned, but it can change shared external state.

User impactAn agent could publish or submit a tool if the user allows it, which may expose code or affect the registry ecosystem.

RecommendationRequire explicit user approval before any `devtopia submit`, review generated code first, and confirm the target category/account before submitting.