Skillv2.0.0

ClawScan security

aegis-skill-vetter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 7:06 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only skill whose commands and checks align with its stated purpose (vetting other skills), but it assumes broad file-system and tooling access and has aggressive automatic-reject rules—review before granting execution privileges.
Guidance: This skill is internally coherent for the purpose of vetting other skills, but before installing or allowing it to run: (1) Only run it when you trust the skill source (author/homepage unknown here); (2) Run the vetter against a copy of the target skill in an isolated environment (or sandbox) until you’re confident in its behavior; (3) Confirm required command-line tools (curl, jq, grep, npm/pip audit tools, etc.) are available in the environment or accept that the vetter will fail; (4) Expect the vetter to read your workspace/skill folders and scan code for credential patterns—do not point it at directories with raw secrets; (5) Review automatic-reject rules (they are aggressive and may cause false positives) and consider performing manual review for hits before permanently refusing installation. If you provide the skill's origin/author or a homepage, reassess confidence upward.

Review Dimensions

Purpose & Capability: okThe name/description (skill vetter) match the SKILL.md content: it lists source reputation checks, static scanning, dependency analysis, and permission checks. The actions it asks for (grep, curl to GitHub API, reading package manifests, running npm/pip audits) are reasonable for a vetting tool.
Instruction Scope: noteThe SKILL.md instructs the agent to run many shell commands (grep, curl, ls, cat, jq, npm audit, pip-audit, etc.) across a skill folder and to inspect indicators that may reference sensitive paths (e.g., ~/.ssh, ~/.aws) and files. Those operations are coherent for vetting, but they give the skill broad discretion to read workspace files and scan for patterns; the protocol also contains automatic immediate-reject heuristics which may be aggressive and could produce false positives. There is no explicit instruction to transmit results to third-party endpoints other than standard API calls (GitHub API via curl).
Install Mechanism: noteInstruction-only (no install). This minimizes disk footprint, but the instructions assume availability of tools (jq, curl, grep, npm/pip audit tools, pip-audit, cargo-audit, etc.) without declaring or installing them. If these tools are not present the workflow will fail; conversely, granting shell access to supply them is required to run the vetter fully.
Credentials: noteThe skill does not request environment variables or credentials in manifest, which is appropriate. However the runtime instructions explicitly search source for references to credential files and config paths and read workspace directories (e.g., ~/.openclaw/workspace/skills/). That access is proportionate to vetting, but users should be aware the skill will inspect local skill code and metadata and may surface sensitive indicators found in that code.
Persistence & Privilege: okNo elevated persistence requested (always:false). The skill does not modify other skills or system-wide agent settings in its instructions. Autonomous invocation is allowed (platform default), which is normal for a vetter but increases blast radius if the skill were malicious—however there is no claim of forced inclusion or self-enablement.