Skillv1.0.0

ClawScan security

00 Action Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 4:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (always-run action guard that calls a permission-gate) is coherent, but important details are missing and always:true gives it high privilege — this combination is ambiguous and warrants caution.
Guidance: This skill is a policy guard that mandates calling a 'permission-gate' before any non-routine action. That goal is reasonable, but before installing you should: 1) Ask the publisher to explain what 'permission-gate' is (a local skill, an internal API, or an external service) and where calls go; 2) Verify any endpoints, required credentials, and data sent during permission checks — the SKILL.md does not declare them; 3) Consider the risk of always:true: the skill will be active for every agent run and could intercept or block actions — only enable it if you trust the skill's owner and can audit its behavior; 4) If possible, test in a restricted environment first and confirm the agent actually uses a trusted permission-gate implementation rather than an external/untrusted service. If you cannot obtain clear answers about the permission-gate interface and data handling, treat this skill as potentially risky.

Review Dimensions

Purpose & Capability: noteName and description match the instructions: the skill is an action guard that requires permission checks before non-routine operations. It asks for no credentials or installs, which is reasonable for a policy-first, instruction-only guard. However, the SKILL.md refers to calling a 'permission-gate' without specifying what that is (another skill, an API endpoint, or an internal procedure), which leaves an implementation gap.
Instruction Scope: noteInstructions are narrowly scoped to intercepting tool/skill calls and requiring a permission check result before proceeding. They do not reference reading files, env vars, or external endpoints explicitly, which is good. But because the guard mandates calling a separate 'permission-gate' without defining how to call it or what data is passed, the runtime behavior is ambiguous: an agent could call an external service (risking data exposure) or a locally installed policy skill (less risky).
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal disk/installation risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate for a policy wrapper. However, because it requires a 'permission-gate' call, any real permission gate might need credentials or endpoints; those are not declared here, creating a mismatch between expected runtime dependencies and declared requirements.
Persistence & Privilege: concernThe skill is published with always:true, meaning it will be force-included in every agent run. That is a significant privilege. While a guard may legitimately want high priority, always:true combined with the missing definition of where permission checks are sent raises the risk that this skill could intercept or influence every operation. The metadata justification in SKILL.md ('highest priority') is semantic but not a technical explanation of why always:true is required.