Skillv1.0.0

ClawScan security

Claude Api Anthropic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 2:31 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly documentation for the Claude/Anthropic SDKs (which fits its name) but contains powerful agent instructions (file/bash/web access, subagents, permission-bypass examples) and prompt-injection indicators; some metadata omissions and risky guidance make it worth extra caution before installing.
Guidance: This skill is primarily documentation for the Claude/Anthropic APIs and Agent SDKs (so the content matches its name), but it also instructs agents to read files, run shell commands, spawn subagents, and even suggests modes that bypass permission prompts. Before installing or enabling this skill: (1) verify the skill's publisher/homepage and confirm you trust the source; (2) do not enable permission modes like 'bypassPermissions' or set allow_dangerously_skip_permissions=True unless you fully understand the consequences; (3) treat ANTHROPIC_API_KEY and other secrets as sensitive — supply them with least privilege and avoid embedding them in shared environments; (4) be cautious about executing example npx/pip/npm commands or launching MCP servers (they fetch and run third-party code); (5) if you plan to allow agent tools (Read, Bash, Edit, WebFetch), restrict allowed_tools and set permission_mode='default' or 'plan' and limit cwd; (6) consider running in an isolated environment or sandbox when experimenting; and (7) if you need higher assurance, ask the publisher why required env vars are not listed in metadata and request a homepage or provenance information. Additional information that would raise confidence: verifiable publisher identity, a homepage/repo link, and explicit metadata listing expected environment variables and their intended usage.
Findings: [system-prompt-override] unexpected: The SKILL.md contains examples and fields for setting custom system prompts and shows how to pass a system_prompt. While example code for system prompts is reasonable in SDK docs, the scanner flagged possible system-prompt override patterns — this increases the risk of prompt-injection if an agent follows these instructions without safeguards.

Review Dimensions

Purpose & Capability: noteThe skill's name and description match the included content: extensive Claude/Anthropic API and Agent SDK docs and examples. However, the skill metadata declares no required environment variables or credentials even though the docs repeatedly reference ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, DATABASE_URL, and MCP server envs — a minor incoherence (metadata omission) but explainable for an instruction-only doc bundle.
Instruction Scope: concernThe runtime instructions explicitly tell the agent to inspect project files to infer language and to use agent tools (Read, Edit, Bash, WebFetch, spawn subagents) and to configure permissions and system prompts. Those behaviors are coherent with an Agent SDK guide but broaden the agent's runtime surface dramatically (file I/O, shell execution, network). The SKILL.md also includes examples and options that encourage bypassing permission prompts (allow_dangerously_skip_permissions, permission_mode='bypassPermissions') and contains content that triggered a system-prompt-override scan — this raises prompt-injection and privilege-escalation concerns.
Install Mechanism: okInstruction-only skill with no install spec and no code files to write or execute during installation — lowest install risk. However, some examples instruct use of external package managers (pip, npm, npx) and MCP servers that, if followed by the user, will download and run code; that is user-driven and not part of skill installation.
Credentials: noteThe skill does not declare required env vars in registry metadata, yet the docs repeatedly rely on environment variables (e.g., ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, DATABASE_URL). This omission is inconsistent but not necessarily malicious — the skill doesn't store or request credentials itself, but users will need to supply keys to call remote APIs. The docs also demonstrate passing envs into spawned MCP servers, which exposes additional secrets if used carelessly.
Persistence & Privilege: notealways:false and default autonomous invocation are normal. The SKILL.md advocates features that increase runtime capability (agent subagents, hooks, MCP servers, bypassing permissions). While the skill itself doesn't request permanent system presence, its instructions make it easy for a developer to grant broad privileges (file edits, shell execution, spawning code via npx) — exercise caution when enabling those features.