Skillv1.0.0

ClawScan security

Claude Delegate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 6:34 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (delegating coding tasks to Claude Code) is plausible, but the runtime instructions instruct automatic use of a 'bypassPermissions' mode and call an undeclared 'claude' CLI — both of which are unexpected and raise red flags.
Guidance: This skill looks like a thin wrapper for running a local 'claude' CLI, but it forces a '--permission-mode bypassPermissions' flag (which overrides permissions) and doesn't declare the 'claude' binary dependency. Before installing or enabling it: 1) Do not allow automatic or unattended execution — require user confirmation. 2) Ask the author to remove or make the bypassPermissions flag optional and documented; never force a permission-bypass by default. 3) Ensure the agent runs in a restricted sandbox and that the 'claude' CLI is trustworthy and installed intentionally. 4) Have the skill declare the 'claude' binary as a required dependency (and justify any elevated flags). If you cannot verify those changes or you do not trust the local 'claude' executable, treat this skill as risky and do not enable it on sensitive projects or systems.

Review Dimensions

Purpose & Capability: concernThe name/description match the instructions (delegating coding tasks to Claude Code). However the SKILL.md explicitly runs a 'claude' CLI with '--permission-mode bypassPermissions', yet the skill metadata declares no required binaries or credentials. The skill should have declared the 'claude' binary (or other runtime dependency) and must justify the permission-bypass flag; the current mismatch is unexpected.
Instruction Scope: concernInstructions tell the agent to run shell commands via exec (bash workdir:/path command:"claude ..."). This is coherent for a delegator, but the documentation forces the '--permission-mode bypassPermissions' flag and '--print' unilaterally. That flag appears to override safety/permission controls and effectively escalates the delegated tool's privileges; it broadens scope beyond simple code-generation and could enable access to files or actions the user's environment would otherwise block.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, which minimizes installation risk. There is nothing being downloaded or written by the skill itself.
Credentials: noteThe skill requests no environment variables or credentials (which is reasonable). However it fails to declare that it depends on a local 'claude' CLI binary and on the ability to run shell commands in arbitrary working directories — both are effectively required at runtime and should be declared.
Persistence & Privilege: concernThe skill does not request permanent 'always' presence (good), but instructing automatic use of '--permission-mode bypassPermissions' is a form of privilege escalation for the invoked tool. That increases the blast radius if the agent executes this skill autonomously or without user confirmation.