Skillv1.0.0

ClawScan security

onescience-installer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 3:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (remote-only installer) is plausible, but its instructions require reading the user's local ~/.ssh/config (a sensitive local file) without declaring that access, and there are small inconsistencies (GitHub homepage vs a Gitee clone URL) — these mismatches merit caution before installing or running it.
Guidance: Before installing or running this skill, consider the following: - The skill explicitly instructs the agent to read your local ~/.ssh/config. That file can include hostnames, usernames, and references to private keys. Only proceed if you are comfortable granting the agent access to that file. - Verify the repository source: the package homepage is GitHub but the install sequence clones from Gitee. Confirm the expected repository and trustworthiness of the code before cloning or running remote install scripts. - Prefer to have the skill list the exact remote commands it will run and review them before execution. If possible, run the commands yourself on the remote host or use a test account with minimal privileges. - If you do allow the skill to read ~/.ssh/config, restrict that config to only the hosts you intend the skill to manage, and avoid storing sensitive or broad-scope entries you don't want the skill to see. - If you want lower risk, skip automatic execution: have the skill produce a detailed install plan/command list and run those commands manually on the cluster. - If you need a firmer assessment, ask the publisher for: (a) an explicit statement of why ~/.ssh/config must be read, (b) the exact SSH/remote commands the skill will execute, and (c) checksums or known-good sources for any repositories or installers it will pull.
Findings: [no-findings] expected: The package contains no code files and the regex scanner had nothing to analyze. For instruction-only skills, absence of findings is not evidence of safety — the SKILL.md instructions are the primary surface to review.

Review Dimensions

Purpose & Capability: noteThe name/description (remote installer for DCU via SSH) matches the instructions to identify hosts and run remote commands. However the skill's 'strict remote-only execution' claim conflicts with the explicit rule to always read the user's local ~/.ssh/config first — that is not remote execution, it requires local file access. Reading SSH config can be legitimate to discover hosts, but it is more invasive than a purely remote-only workflow.
Instruction Scope: concernSKILL.md instructs the agent to always read ~/.ssh/config and to 'identify available remote hosts' before doing anything else. That file can contain sensitive hostnames, user names, and paths to private key files. The skill does not declare this local file access in its metadata, and it gives no guidance about handling identity files or how to avoid leaking sensitive information. Additionally, the README/homepage points to GitHub but the install steps clone from gitee.com — a minor inconsistency that should be verified.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install mechanism from the skill packaging perspective.
Credentials: concernThe skill declares no required env vars or config paths, yet the runtime instructions explicitly require reading a local sensitive file (~/.ssh/config) and presume the presence of SSH keys and cluster module paths. Because access to SSH configuration is effectively a credential/identity surface, the omission of that requirement in the metadata is disproportionate and under-specified.
Persistence & Privilege: okalways is false and there is no install stage that would persist or modify other skills or global agent settings. The skill doesn't request elevated or persistent privileges in its metadata.