Skillv1.0.0

ClawScan security

Project- & Time-Capsules · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 10:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose (archiving projects to a cloud remote via rclone), but the bundled script constructs shell commands unsafely and the instructions encourage removing agent memory — both of which raise practical safety concerns the user should review before installing.
Guidance: This skill does what it says (archives project files to an rclone remote) but review these issues before installing: (1) The Python script runs shell commands via subprocess.run(..., shell=True) and builds command strings with user-provided names/paths — this can enable shell injection or unexpected command execution if names/paths are not sanitized. Consider editing the script to call subprocess.run([...], shell=False) and to validate/sanitize project names and file paths. (2) The skill will upload whatever you tell it (or whatever an agent instructs it to upload) to your configured rclone remote — verify the rclone remote points to the correct cloud account and that you trust that account. (3) The SKILL.md suggests removing project details from agent memory (e.g., MEMORY.md); do not allow automated deletion of agent memory/files without explicit, auditable confirmation. (4) If you plan to run this in a multi-tenant or sensitive environment, test in a sandbox first and consider limiting which files the agent is permitted to 'save'. If you want, I can produce a safer variant of kapsel.py that avoids shell=True and adds input validation and an allowlist for saved paths.

Review Dimensions

Purpose & Capability: okName/description match what the code and SKILL.md do: they rely on rclone to store capsule folders on a cloud remote and provide commands to create/list/load/archive/save capsules. Requiring a configured rclone remote is expected for this functionality.
Instruction Scope: noteSKILL.md stays within scope (create/list/load/summary/archive/save). However it recommends removing project details from the agent's active memory (e.g., 'Remove project details from active memory (e.g. MEMORY.md)') which instructs the agent to modify its own stored context and could be risky if done automatically. Also the agent-facing workflow implies the agent may run 'save' to copy arbitrary files into the remote — reasonable for this tool but worth guarding.
Install Mechanism: okNo install spec; instruction-only with a Python script to copy into workspace. No remote downloads or package installs are performed by the skill itself, which keeps install risk low.
Credentials: noteThe skill requests no secrets directly and uses optional env vars (KAPSEL_REMOTE, KAPSEL_TMP). However it depends on the user's rclone configuration: the configured remote(s) hold credentials to cloud storage. Any invocation that copies files will place data into whatever remote the user configured, so users should confirm the remote points to the intended account/storage and not an untrusted endpoint.
Persistence & Privilege: okalways is false, the skill is user-invocable only and does not request persistent platform privileges or attempt to modify other skills. It copies its script into the workspace per the instructions (normal behavior).