Skillv1.0.2

ClawScan security

OneScience-Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 12:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill bundle broadly matches a OneScience orchestration purpose, but several embedded runtime instructions ask the agent to read sensitive local files (e.g., ~/.ssh/config) and to perform SSH-based remote installs and unattended submissions without declaring credentials—these behaviors are disproportionate and warrant caution.
Guidance: This skill package mostly contains detailed workflow and orchestration instructions, but pay close attention to the installer instructions that require reading your local ~/.ssh/config and automatically SSH-ing into your remote hosts to run installs and commands. Before installing or enabling this skill: - Do not allow the agent to run commands that read ~/.ssh/config or any other private files unless you explicitly approve each command and understand which host(s) will be contacted. - Treat the installer as high-risk: prefer to perform remote install steps manually (follow the documented commands yourself on your remote host) rather than granting the agent permission to access SSH configuration or connect for you. - Ask the skill author for provenance (source, homepage) and for an installer variant that only outputs the exact commands for a human to run locally, instead of performing them automatically. - If you decide to use the installer via the agent, require an explicit, interactive confirmation step for: (1) reading ~/.ssh/config, (2) selecting a Host, and (3) every remote command to execute — and ensure the agent will not exfiltrate hostnames/keys to external endpoints. - Verify any SCNet/SCNET MCP submission workflow: the skill references submitting files to a cluster but does not declare how credentials are provided—ensure you control credentials and do not paste secrets into chat. If you want, I can: (A) produce a safe, read-only checklist version of the installer steps that the agent can present as instructions for you to run manually on your remote host, or (B) draft a redacted installer SKILL.md that removes automatic local ~/.ssh/config reads and SSH commands and instead requests explicit host and credential input before any network action.
Findings: [none_detected] unexpected: Regex-based scanner found no code files to analyze (instruction-only). This is expected for an instruction-only skill, but absence of findings does not imply safety. The SKILL.md files themselves contain sensitive operational directives (local ~/.ssh/config read and SSH remote installation) which the scanner did not flag because it only analyzes code files.

Review Dimensions

Purpose & Capability: noteOverall purpose (workflow/orchestration of OneScience sub-skills) aligns with the provided onescience-coder, onescience-runtime, onescience-debug and onescience-installer documents. However, the installer sub-skill explicitly mandates reading the user's local ~/.ssh/config and establishing SSH connections to remote DCU hosts — this local-file access and autonomous remote execution is not reflected in the skill's declared requirements (no env vars, no config paths) and is not necessary for a purely orchestration/authoring skill. This is disproportionate to the stated high-level purpose of a 'skill manager' unless the installer functionality is intentionally included and the user expects remote-host operations.
Instruction Scope: concernSKILL.md content (particularly onescience-installer) instructs the agent to run 'cat ~/.ssh/config' locally, parse Hosts, and automatically SSH into chosen hosts to perform remote installs and run remote commands (module loads, conda create, git clone, install.sh, etc.). These instructions request access to a sensitive local file and instruct autonomous network/remote execution and command execution on user servers. The runtime docs also reference numerous environment variables (ONESCIENCE_DATASETS_DIR, ONESCIENCE_MODELS_DIR, $ROCM_PATH) and require reading/writing project files and generating test/submit scripts. The skill text forbids local execution of installs and insists on remote-only installs—this enforces scanning of local SSH config and remote actions that go beyond simple orchestration and can lead to credential/host exposure if performed without explicit user consent. The instructions also reference submitting jobs to SCNet/SCNET MCP but provide no declared mechanism or credentials for that submission.
Install Mechanism: okThere is no install specification (instruction-only), so no code is downloaded or written by the registry install process itself. That's lower risk from a supply-chain/installation perspective. However, the runtime instructions direct the agent to clone repositories and run remote commands at runtime (via SSH), which is an operational risk even though the skill bundle itself does not install code in the platform.
Credentials: concernRegistry metadata declares no required env vars or config paths, yet the SKILL.md files reference many environment variables and local files (ONESCIENCE_DATASETS_DIR, ONESCIENCE_MODELS_DIR, $ROCM_PATH, conda environment activation, and critically ~/.ssh/config). The installer requires reading ~/.ssh/config (a sensitive local file) and initiating SSH sessions. These accesses are not declared and are not proportionate to a mere orchestration/documentation skill unless explicit remote-install capabilities were advertised and user credentials/consent were provided.
Persistence & Privilege: noteThe skill is not marked 'always: true' and is user-invocable; autonomous invocation is permitted (disable-model-invocation: false) which is normal. The combination of autonomous invocation plus instructions that access local SSH configuration and perform remote execution increases potential impact if the agent acts without explicit user confirmation. This is not a configuration-level privilege in the manifest, but the runtime instructions effectively request sensitive capabilities.