Skillv1.0.0

ClawScan security

Skill Hub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill Hub mostly implements the described discovery and vetting functionality, but there are mismatches and risky behaviors (use of npx/gh, implicit network fetches, and a detected prompt-injection token in SKILL.md) that merit closer review before installing.
Guidance: What to consider before installing Skill Hub: - Dependency check: The package calls external CLIs ('gh' GitHub CLI and 'npx' to run clawhub). The metadata incorrectly lists no required binaries — ensure you have and trust these CLIs before running the skill. - Remote code execution: The skill uses 'npx clawhub@latest' and fetches raw README from GitHub. npx@latest will download and execute packages from npm each time; consider pinning versions or auditing clawhub behavior before allowing installs. - Prompt-injection token: A prompt-injection phrase was detected in SKILL.md. Confirm whether it appears only as an example for detection, not as an instruction the agent should follow. If you plan to let the agent invoke this skill autonomously, be cautious about ambiguous frontmatter or instructions that could influence model behavior. - File writes & workspace: The skill reads/writes a catalog at references/awesome-catalog.json (inside the skill bundle) and uses ~/.openclaw/workspace for invoking ClawHub. Ensure you are comfortable with those write locations and back them up if necessary. - Run in a sandbox first: If possible, run the scripts in a restricted environment or container to observe network calls and subprocesses (gh, npx) before enabling in a production agent. - Audit third-party behavior: Inspect/verify what 'clawhub' and the GitHub repo (VoltAgent/awesome-openclaw-skills) contain. Because this skill downloads and inspects other skills, its trust boundary extends to the external repos it contacts. Recommended next steps: 1) Review the code paths that call subprocess (search, quick-check, vet) to confirm they don't pass untrusted input into shell=True calls (the provided scripts appear to use list-argument subprocess.run without shell=True). 2) Confirm or add required-binaries metadata for gh and npx. 3) Consider pinning npm packages (avoid '@latest') and avoiding automatic remote execution unless you trust the sources. 4) If you allow this skill, run its vet function on itself and run quick-check/sync in a controlled environment first. Given these mismatches and the prompt-injection signal, exercise caution; the skill is plausible for its stated purpose but has implementation details and runtime behaviors that warrant review before granting it access to your agent.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern (ignore previous instructions) was detected in SKILL.md content by the pre-scan. A vetting skill may discuss or detect such patterns, but the presence of that exact phrase in runtime frontmatter/instructions is suspicious because it could be an attempt to manipulate model behavior; verify whether this is an explanatory example vs. an instruction that could be interpreted by an agent.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md align with the stated purpose (searching a curated catalog, vetting skills, syncing from GitHub, and invoking ClawHub for installs). However the registry metadata claims 'required binaries: none' while the runtime scripts call external CLIs (gh and npx/clawhub) and expect a Python runtime. This is an incoherence: the skill realistically requires 'gh' and 'npx' (and network access).
Instruction Scope: okSKILL.md and the scripts constrain actions to discovery, vetting, exporting, and syncing. The instructions run local scripts, call out to GitHub (raw README), and use npx to list/inspect/install skills. They do read/write catalog files under the skill bundle and use a workspace under the user's home (~/.openclaw). They do not instruct the agent to read arbitrary user files or environment variables beyond normal workspace/catalog paths.
Install Mechanism: noteThere is no formal install spec (the package is instruction+code only). The code performs network fetches (raw.githubusercontent.com) and invokes 'npx clawhub@latest' which will download and execute npm code at runtime—this is a moderate risk vector because it results in executing remote code from npm each time. Using the GitHub raw URL is a standard release source, but the combination of npx@latest plus unpinned remote fetches increases runtime trust requirements. The metadata should declare these runtime dependencies.
Credentials: concernThe skill declares no required env vars or credentials (which is appropriate). But it accesses filesystem locations (Path.home()/.openclaw/workspace and writes references/awesome-catalog.json inside the skill directory) and relies on external CLIs. The lack of declared required binaries (gh, npx) is a proportionality mismatch. There are no explicit requests for unrelated secrets, but the skill will invoke npx/clawhub which may in turn access user's environment or prompt for credentials (e.g., npm auth, gh auth) — that impact is not documented.
Persistence & Privilege: okalways:false and disable-model-invocation:false (normal). The skill writes and updates its own catalog file and may write temporary inspection outputs to temp dirs or the user's workspace; it does not request to modify other skills' configurations or set system-wide persistence. No force-inclusion privilege is requested.