Skillv0.8.9

ClawScan security

autoagent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 10:09 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior broadly matches its description (automated sandboxed prompt optimization), but its runtime instructions allow reading and copying user-specified scripts and creating cron jobs that will autonomously run iterations against whatever files/paths you point it at — this could access sensitive files if misconfigured.
Guidance: This skill appears to do what it says, but review and control what directories and scripts you point it at before starting. Recommended precautions: - Never set the sandbox path to system or home directories (e.g., /home, /root, /etc, ~/.ssh). Use a dedicated workspace folder. - If asked to reference scripts/tools, only provide copies you control and have inspected; don't let it locate or read arbitrary system binaries unless you explicitly want that. - Verify the cron job and its schedule after setup and be prepared to stop/pause it if it runs unexpected work. Consider a longer interval while testing. - Inspect sandbox contents (guidance-under-test.md, current-guidance.md, scripts/) before allowing iterations to run automatically. If you want to be extra cautious, run one iteration manually and confirm behavior before enabling periodic runs.

Review Dimensions

Purpose & Capability: okName/description (automated iterative improvement of agent guidance) aligns with the requested capabilities: creating a sandbox, running iterations, scoring, and using subagents. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: concernSKILL.md and iteration/setup prompts explicitly instruct the agent to: create an arbitrary sandbox path (including absolute paths), copy guidance and any referenced scripts into the sandbox, locate and read referenced scripts/tools (read code/binaries), and run subagents to execute tests. Those steps are required for the feature but give the skill the ability to read arbitrary files (if the user supplies or points to them) and to execute user-supplied scripts via subagents. The instructions do not include safeguards or limits (e.g., restrict sandbox to workspace, warn about sensitive paths), so a mistaken or maliciously chosen sandbox path could expose sensitive files.
Install Mechanism: okInstruction-only skill with no install spec and no code files to write on install; this is low-risk from an install-mechanism perspective.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill asks the user to specify script/tool paths if used — that explains file access but relies on user-supplied paths rather than requesting unrelated secrets.
Persistence & Privilege: noteThe skill sets up a persistent cron job (default every 5 minutes) and spawns subagents autonomously on that schedule. It does not set always:true, but the cron will cause regular autonomous activity until paused. This persistence is consistent with the skill's purpose but increases blast radius if the sandbox or referenced scripts are pointed at sensitive locations or contain dangerous operations.