Skillv0.1.0

ClawScan security

Promql Validator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 1:30 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a local PromQL linter/validator (and the included Python scripts mostly match that purpose), but its runtime instructions have a few mismatches and an instruction to operate from the repository root that could cause it to read unrelated files — review before installing.
Guidance: What to check before installing/running this skill: - Review the included Python scripts yourself (validate_syntax.py, check_best_practices.py, test_validators.py). They appear to be static PromQL analyzers and the provided excerpts show no network calls or obfuscated code, but you should still inspect the full sources. - The SKILL.md expects to run commands that use python3 and git and to be executed from the repository root. The skill metadata does not declare these binaries; ensure your environment has python3 and git or ask the author to declare them. Prefer running the scripts with absolute paths to the skill folder instead of cd'ing to repo root to limit file access. - Because the instructions tell the agent to use git rev-parse --show-toplevel (and to cite lines from repository files), the skill may read arbitrary files in whatever repository the agent runs in. If you run this in a repository containing secrets, run the skill in an isolated/sandboxed environment or a copy of the repo without sensitive data. - Run the test suite locally (scripts/test_validators.py) before granting the agent autonomy. That will show what outputs the scripts produce and help you validate they behave as expected. - If you plan to allow autonomous invocation, consider restricting its scope (or require manual approval) because reading repository-wide files increases privacy risk. Ask the publisher to: (a) declare required binaries (python3, git) in metadata, and (b) change instructions to use absolute skill paths or limit file access to the skill's folder to avoid accidental exposure of unrelated repository contents.

Review Dimensions

Purpose & Capability: noteThe name/description (PromQL validation, linting, anti-pattern detection) aligns with the included Python scripts (validate_syntax.py, check_best_practices.py, tests). However the SKILL.md assumes runtime tools/paths (python3, git and a repo layout like devops-skills-plugin/skills/promql-validator/scripts/...) while the skill metadata declares no required binaries or env vars. That mismatch (scripts will be executed but runtime requirements are not declared) is an inconsistency users should be aware of.
Instruction Scope: concernRuntime instructions instruct the agent to cd to the repository root via git rev-parse --show-toplevel and to cite files with file path + line numbers. That requires reading files in the repository (docs/, examples, etc.) and possibly files outside the skill folder. The scripts themselves appear to be local static analyzers and (based on provided sources) do not perform network I/O or credential access, but the 'run from repo root' requirement widens the read surface and could cause the agent to access arbitrary repo files. The two-phase STOP/WAIT flow is sensible and limits automatic changes, which is good.
Install Mechanism: noteThere is no install spec (instruction-only install), which is low risk. But code files are included and the SKILL.md instructs running them with python3. The skill metadata did not declare python3 or git as required binaries; that omission is a mismatch to the runtime commands. Because the code will be executed directly, verify the runtime interpreter (python3) and that the files are trusted.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The provided scripts operate on query strings and local file contents only, so no extra secrets appear to be required.
Persistence & Privilege: okalways:false and no install scripts are present. The skill does not request persistent or system-level privileges and does not modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation:false) is allowed by default; this is normal but increases runtime blast radius if combined with other issues (none detected here).