Pincer
ReviewAudited by ClawScan on May 10, 2026.
Overview
Pincer has a coherent security-scanning purpose, but the visible script has review-worthy safety gaps around unpinned runtime code, fail-open scanning, and unvalidated file paths.
Before installing, understand that Pincer can install other skills and change future trust decisions. Prefer setting autoApprove to "never" until the scanner is fail-closed, mcp-scan is pinned, and fetched file paths are safely validated.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the external scanner errors, times out, or changes output format, a skill could be treated as clean and proceed toward installation.
The scanner command's non-zero exit is swallowed, and the parser falls back to "clean" when it does not recognize warning patterns. For a tool that may auto-approve clean installs, this is a fail-open scan path.
output=$(uvx mcp-scan@latest --skills "$target" 2>&1) || true ... else
echo "clean"Fail closed on scanner errors, preserve and check exit codes, parse structured output where possible, and require manual approval whenever any scan stage fails.
A malicious or malformed skill file listing could cause pincer to write outside its intended temporary or cache directory before installation.
File names parsed from external clawhub output are used directly to create directories and write files, without visible checks for traversal segments such as ../ or canonical containment under the destination directory.
files=$(echo "$files_output" | grep -E '^\S+\s+[0-9]+[BKM]' | awk '{print $1}' || true) ... mkdir -p "$file_dir" ... > "$dest_dir/$file"Reject absolute paths and ../ segments, canonicalize the final path, and verify every fetched file stays inside the intended destination directory before writing.
A future compromised or breaking mcp-scan release could affect every scan and install decision made through pincer.
The skill executes mcp-scan via uvx using @latest, so the code run during scans can change over time and is not pinned to a reviewed version.
output=$(uvx mcp-scan@latest --skills "$target" 2>&1) || true
Pin mcp-scan to a specific reviewed version, document the provenance, and consider checksums or a lockfile for reproducible execution.
If the trust list is changed too broadly, future clean-looking skills from those publishers may install with less prompting.
The skill stores persistent trust and history settings that influence future install decisions. This is disclosed and purpose-aligned, but it is state that can affect later agent behavior.
"trustedPublishers": ["openclaw", "steipete", "invariantlabs-ai"], ... "autoApprove": "clean", ... "logInstalls": true
Review ~/.config/pincer/config.json periodically, keep trusted publishers limited, and set autoApprove to "never" if you want every install to require explicit confirmation.