Skillv1.0.0

ClawScan security

Repo PR Triage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 4:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, requirements, and instructions line up with its stated purpose (GitHub PR triage using the gh CLI and a local vision rubric); nothing majorly mismatched, but inspect a few minor prompts and file-read behaviors before running it on sensitive hosts.
Guidance: This skill appears coherent for its stated goal: it uses the gh CLI and Python stdlib to gather repo context, build a vision/rubric, score open PRs, and emit markdown reports. Before installing or running it: 1) Inspect SKILL.md, references/example-vision.md, and the generated interview prompt for any embedded 'ignore previous instructions' / 'you are now' style prompt text—remove or redact any suspicious assistant-directive text. 2) Only run it on machines where the configured gh authentication is acceptable (it will use your gh credentials). 3) When invoking scan.load_vision or the onboard flow, pass only trusted local vision/rubric file paths (the scripts will read whatever path you give them). 4) Because the code invokes gh via subprocess, run it in a controlled environment (container or throwaway VM) if you are unsure. 5) Run the bundled tests (they exist) to verify behavior in your environment. If you want, share the SKILL.md and example vision files you plan to use and I can point out any suspicious prompt text to remove.
Findings: [ignore-previous-instructions] unexpected: This pattern (prompt-injection language) is not needed for a triage tool. It was detected in the SKILL.md content—inspect SKILL.md and any included vision/rubric templates for hidden prompts that try to alter agent behavior. [you-are-now] unexpected: Another prompt-injection pattern found in the SKILL.md content. Could be a benign example or leftover test text, but review to ensure it doesn't attempt to change runtime instruction context.

Review Dimensions

Purpose & Capability: okName/description (PR triage, vision-based scoring) match the code and SKILL.md. The scripts call the gh CLI for repo data, generate a vision/rubric, score PRs, and render markdown reports — all expected for this purpose.
Instruction Scope: noteRuntime instructions are narrowly scoped to onboarding (gather repo context), scanning (gh pr list, rule-based scoring), and reporting. However, a pre-scan detected prompt-injection patterns in SKILL.md (e.g., 'ignore-previous-instructions', 'you-are-now') — these are not necessary for triage and should be reviewed. The scripts read user-supplied vision files and write reports, which is expected, but you should confirm no hidden prompt text or unexpected outbound endpoints are embedded in the provided vision/rubric files.
Install Mechanism: okNo install spec; this is instruction/code-only and relies on the system's gh CLI and Python 3.10+. That's proportionate for a tool that calls gh. Nothing is downloaded from arbitrary URLs or installed automatically by the skill.
Credentials: okThe skill requests no environment variables and no credentials in its metadata. It does require the user to have gh authenticated (gh auth login) — which is appropriate for interacting with GitHub. There are no unrelated credential requests. Note: the gh CLI will use whatever GitHub identity is configured on the host, so only run where that is acceptable.
Persistence & Privilege: okThe skill is not forced always-on (always: false) and does not ask to modify other skills or system settings. It writes files to the output directory you supply (vision.md, rubric.md, reports), which is normal for this workflow.