Skillv1.0.7

ClawScan security

skill4agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 8:14 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested actions and external dependencies align with its stated purpose (search/read/install skills from skill4agent.com); nothing appears incoherent or disproportionate.
Guidance: This skill appears internally consistent, but exercise normal caution: 1) `npx skill4agent` will fetch and execute code from npm on your machine — prefer the API option to inspect content (SKILL.md) before running remote code. 2) When installing a downloaded skill, inspect its files (especially scripts) before executing them; follow the SKILL.md advice to obtain user consent for skills flagged as containing sensitive code. 3) Confirm you trust the domain skill4agent.com and the npm package ownership before running installs; avoid running installation commands as root or with elevated privileges. 4) If you need stronger assurance, fetch the skill via the API, review the ZIP contents locally, and only then run necessary install steps.

Review Dimensions

Purpose & Capability: okName and description match the instructions: the skill is a wrapper around the skill4agent platform (CLI via npx or direct API). The external npm package and API endpoints listed in SKILL.md are consistent with a search/read/install manager for an online skill library.
Instruction Scope: okRuntime instructions are scoped to searching, reading SKILL.md content, and downloading/installing skills to a local .agents/skills/<skill_name> directory. The doc explicitly recommends checking script safety and obtaining user consent for skills flagged as containing sensitive code. There are no instructions to read unrelated system files, other configs, or to exfiltrate data.
Install Mechanism: noteThe skill is instruction-only but directs use of `npx skill4agent` (which fetches and executes code from the npm registry) or downloading ZIPs from skill4agent.com. This is expected for an installer-type tool, but running npx executes remote code transiently on the host — a normal but higher-risk action compared with purely local operations. The SKILL.md does not provide its own install spec, relying instead on the third-party package and site.
Credentials: okNo environment variables, credentials, or config paths are requested. The declared requirements (Node.js/npm/npx) are appropriate for the CLI option. There are no unrelated or excessive credential requests.
Persistence & Privilege: okThe skill does not request always:true and does not instruct modifying other skills' configs or system-wide settings. Installing downloaded skills writes into a local .agents/skills directory (documented) which is proportional for a skill installation workflow.