Back to skill
Skillv2.0.0
ClawScan security
Skill Publish Adapter Real · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 2:32 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (help publish skills) is plausible, but there are multiple inconsistencies and risky instructions (downloading and executing remote shell scripts, mismatched metadata, undeclared env usage) that make its intentions unclear — inspect the remote scripts before running.
- Guidance
- This skill downloads and runs shell scripts from a remote GitHub raw URL and performs filesystem and publishing actions — that can execute arbitrary code. Before installing: 1) Inspect the referenced install.sh and skill-publish-adapter.sh in the remote repository (raw URL) and verify their contents and author. 2) Verify the repository owner and commit history (who maintains it). 3) Prefer a bundled package or published release with checksums/signatures rather than executing raw scripts. 4) Run the tool in an isolated environment (container, VM) or sandbox first, and avoid running it on systems with sensitive credentials or keys. 5) Ask the publisher to declare required env vars/credentials and to include the scripts in the package or a verifiable release. If you can provide the contents of the remote scripts (install.sh / skill-publish-adapter.sh), I can review them and reduce uncertainty.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md claims a publish-adapter but package.json identifies a different package name/author (skill-validator / xiaoboren) and lists files that are not included in the bundle. The skill asks to download and execute external shell scripts to perform its core work — that could be reasonable for a CLI helper, but the metadata mismatch and absent local scripts are incoherent.
- Instruction Scope
- concernRuntime instructions direct the agent/user to download and run ./skill-publish-adapter.sh and ./install.sh from a remote raw.githubusercontent.com URL, modify files and permissions, create missing files, and perform publishing steps (including to GitHub). The SKILL.md also references environment variables (CLAWHUB_USER, GITHUB_USER, DEBUG) and implies credential use, but the registry declares no required env vars — the instructions access/require more than what is declared.
- Install Mechanism
- concernThere is no install spec in the registry (instruction-only), but the SKILL.md recommends fetching shell scripts from raw.githubusercontent.com and then running them. Downloading and executing arbitrary scripts from the network is high-risk: GitHub raw is a common host but content can change and executing remote shells without review can run arbitrary code on the user's machine.
- Credentials
- concernRegistry declares no required credentials, yet SKILL.md shows use of CLAWHUB_USER and GITHUB_USER and implies GitHub/ClawHub publishing (which typically requires auth tokens or SSH keys). Required binaries differ between registry metadata (bash, jq, tar, git) and package.json (bash, jq, find, grep, sed). The skill may need credentials not declared here — that's disproportionate and undeclared.
- Persistence & Privilege
- noteThe skill is not flagged always:true and does not declare system-wide modifications, but its workflow writes files, fixes permissions, creates archives, and executes scripts — normal for a publish tool but potentially persistent. No direct evidence it modifies other skills or agent config; risk stems from executing fetched scripts.