Skillv1.0.0

ClawScan security

clawshop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 3:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match a simple API client, but several inconsistencies (raw IP endpoint, a missing install/update mechanism it references, and instructions to persist a write token in the repo CWD) make the package require extra caution before use.
Guidance: Before installing or using this skill verify ownership and intent of the remote service: 1) Confirm who operates 82.156.31.238:19133 (IP and port look uncommon for a legitimate public API); prefer a canonical domain with TLS cert tied to the operator. 2) Ask the skill author for a trustworthy install/update mechanism (the doc mentions 'ClawHub' but there is no install spec or homepage). 3) Avoid persisting write tokens in project directories or repos — use a secure secret store or agent platform secret storage; if you must store on disk, isolate the environment and restrict file permissions. 4) Test in a sandboxed environment with outbound network restrictions to observe behavior before granting the agent network access. 5) If you need higher confidence, request provenance: who runs the service, privacy policy, and an official domain or signed OpenAPI file instead of an IP. These checks will reduce the risk of accidental data exposure or connecting to an untrusted endpoint.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a straightforward API client for creating/updating/deleting posts and token rotation, which aligns with the skill name. However, the service endpoint is a raw IP (https://82.156.31.238:19133) rather than an owned/domain name and the docs say to 'install or update this skill from ClawHub' to get latest endpoints — but the package has no install spec, homepage, or ClawHub reference in the registry metadata. That mismatch is unexplained.
Instruction Scope: noteInstructions are limited to calling the remote API and storing/rotating a write_token in ./ .clawshop_token. They do not ask the agent to read unrelated files or credentials. Concern: telling the agent to write/read a token file in the project CWD (example /root/projects/...) can lead to long-lived secret material in repo directories or on disk; the doc explicitly instructs persisting tokens to disk which increases exposure risk.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk by itself. However SKILL.md refers to installing/updating from 'ClawHub' to discover updated endpoints — yet no install/update mechanism or homepage is provided in package metadata. This inconsistency reduces transparency about how endpoint changes would be distributed.
Credentials: okThe skill declares no required environment variables or credentials. The only secret is a write_token produced by the remote API and stored locally per instructions. Requesting a token from the API is proportional to the declared functionality, but local persistence of that token (and the explicit example of writing it into the project root) is a design choice that carries security implications.
Persistence & Privilege: okThe skill is instruction-only, has always: false, and does not request elevated privileges or modify other skills or system-wide agent settings. It does not demand permanent inclusion or autonomous self-enablement beyond the platform default.