Skillv1.0.1

ClawScan security

Ideas2tasks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 2:46 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (scan Ideas, create Tasks, sync statuses) but includes undeclared network integrations and environment/config reads (Telegram, GitHub CLI, ~/.qclaw config) and uses shell subprocesses — these inconsistencies and missing declarations warrant caution.
Guidance: Before installing or running this skill, review and test locally rather than running it on your main account: 1) Inspect scripts (lifecycle.py, executor.py, sync_status.py, task_completion_hook.py) yourself to confirm the actions are acceptable (they will move files into _done/ and modify task/README files). 2) Run in dry-run modes first (many scripts support --dry-run) and back up /Users/claw/Ideas and /Users/claw/Tasks. 3) Be aware the code will attempt to send Telegram messages and call the gh CLI to create GitHub issues — ensure TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID and gh credentials are intentionally provided; if you don't want remote actions, unset those envs and remove/disable GitHub sync code. 4) Note the executor uses subprocess with shell=True; ensure task titles or idea contents cannot be manipulated to inject shell commands in your environment. 5) If you will allow cron or automated runs, prefer running inside an isolated environment/container or a dedicated user with limited access. 6) If anything is unclear or you need the skill to avoid external sync, ask the author to (a) declare required env vars, (b) avoid shell=True usage or use subprocess with argument lists, and (c) document exactly when files will be moved or network calls made.
Findings: [SUBPROCESS_SHELL_TRUE] expected: executor.py runs 'gh' via subprocess.run(..., shell=True) to create GitHub issues. Using gh is coherent for issue sync, but shell=True with constructed command strings can be risky (injection if inputs are not fully sanitized). The code does escape double-quotes for titles but still constructs a shell command string. [UNDECLARED_TELEGRAM_ENV] expected: lifecycle.py uses TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID environment variables and falls back to ~/.qclaw/gold_monitor_config.json. Using Telegram for notifications is plausible, but these env vars/config paths are not declared in the skill metadata (requires.env is empty), which is an incoherence. [HARDCODED_HOME_PATHS] expected: Scripts operate on hardcoded /Users/claw/Ideas and /Users/claw/Tasks and read ~/.qclaw/gold_monitor_config.json. Hardcoded paths match the stated purpose but increase risk if run under a different user or if assumptions about the home layout differ. [GITHUB_CLI_INTEGRATION] expected: executor.py contains GitHub owner/repo constants and logic to create issues via the gh CLI. GitHub sync is reasonable for a task automation tool, but it implies the need for gh and authenticated credentials — again not declared in the metadata.

Review Dimensions

Purpose & Capability: noteThe core purpose (scan /Users/claw/Ideas, create /Users/claw/Tasks, split ideas into tasks and archive processed files) aligns with the code and SKILL.md. However the code also implements optional integrations (Telegram notifications, GitHub Issue/Board sync via the gh CLI, creation of GitHub blob URLs) that are not declared in the skill metadata or requires.env. These integrations are plausibly related (reporting / issue sync) but should have been declared up-front.
Instruction Scope: concernRuntime instructions and shipped scripts will read and write user files under /Users/claw (Ideas, Tasks), move files into _done/, create and update README and task files, spawn agents (mapped agent IDs) and send external network requests (Telegram API) and call the GitHub CLI. SKILL.md mentions scanning, creating tasks, archiving, sending Telegram, and spawning agents, but it does not mention GitHub CLI usage, nor does it declare that it will read ~/.qclaw/gold_monitor_config.json. The code also contains logic to update files permanently — e.g., shutil.move — so data will be modified/moved on disk. The skill's instructions are not fully explicit about required credentials and side effects.
Install Mechanism: okNo install spec — this is instruction+script bundle. No network-based installer or archive download. That reduces supply-chain concerns; risk comes from running included scripts, not from an installer.
Credentials: concernThe code reads environment variables TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID and falls back to a config file at ~/.qclaw/gold_monitor_config.json; it also expects the gh CLI to run (implying GitHub credentials available to gh). None of these credentials/config paths are declared in the skill metadata. Requesting access to Telegram/GitHub auth is plausible for notifications and issue sync, but the absence of declared required env vars and the presence of a fallback config path are inconsistent and increase surprise/risk.
Persistence & Privilege: notealways:false and model invocation allowed (default). The skill writes to the user's filesystem (creates/moves files) and recommends daily cron execution; it does not request forced permanent inclusion. These file writes are coherent with the purpose, but the ability to spawn agents and invoke external network operations combined with file modifications increases the operational impact if misused. No evidence it modifies other skills' configs.