Skillv1.0.3

ClawScan security

Nova权限系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 4:52 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a permission system that matches its description, but it instructs global agent config changes, includes sub-skills that mark themselves as always-enabled, and the code/data formats contain inconsistencies — these factors are intrusive and deserve review before installing.
Guidance: Things to do before installing or enabling: - Don’t immediately copy the AGENTS.md rules into your global agent config. Back up AGENTS.md and other configs first. - Review the sub-skills' SKILL.md files: permission-gate and identity-management declare always:true which forces persistent inclusion — remove or change this flag if you don't want them always-loaded. - Inspect and test the Python code in a sandbox. There are multiple inconsistencies (e.g., some functions expect {"users": [...] } but bundled data templates are plain arrays). These will likely cause runtime errors or unexpected behavior. - Confirm and restrict filesystem permissions for /workspace/data, /workspace/config, and /workspace/logs (audit.log) because logs and user data may contain personal information. - Run the skill in an isolated test agent (not your production assistant) and exercise edge cases: missing open_id, malformed data, and approval flows. - If you accept the global-enforcement model, prefer manual configuration of AGENTS.md by a trusted admin rather than blindly pasting the provided block. - If you are not comfortable with skills that alter agent-wide behavior or force persistent inclusion, decline or modify the skill to be opt-in (remove always:true) and fix the data-format/code mismatches first.

Review Dimensions

Purpose & Capability: noteName/description (permissions, identity, approvals) match the included modules (permission-check, permission-gate, identity-management, audit). No external credentials or unrelated binaries are requested, so capability requests are broadly proportionate to purpose. However, the SKILL.md explicitly instructs edits to a global AGENTS.md to make the skill mandatory for all non-conversational operations, which goes beyond a normal self-contained skill and affects agent-wide behavior.
Instruction Scope: concernRuntime instructions require you to modify AGENTS.md to insert mandatory security rules that force calling permission-gate and identity-management before any non-conversational operation. That is a cross-cutting, agent-level change (scope creep). The skill's own SKILL.md and sub-skill docs also insist on 'must' behavior and 'never skip' rules — this grants the skill influence over global agent decision flow. Additionally, some instructions reference /workspace files and require copying templates into /workspace/data, which means the skill will read/write your workspace data and log files.
Install Mechanism: okNo remote install or downloads are declared (instruction-only plus bundled source files). There is no network retrieval of code during install. Risk is limited to files being written into /workspace (data, config, logs) and the user manually editing AGENTS.md as instructed.
Credentials: noteThe skill requests no environment variables or external credentials, which is proportional. However, it requires read/write access to workspace data/config/log paths (/workspace/data, /workspace/config, /workspace/logs) and will store audit logs and user/account data locally; ensure these files may contain PII and protect them. Also note multiple code/data mismatches (e.g., code expects JSON objects with a top-level 'users' or 'accounts' key while provided templates are plain arrays) — this indicates likely runtime errors or need for manual data normalization.
Persistence & Privilege: concernWhile the top-level skill has always:false in registry metadata, two included sub-skill SKILL.md files (permission-gate and identity-management) declare metadata marking them as always:true. That gives them permanent inclusion in agent runs (a high-privilege presence). Combined with the instruction to edit AGENTS.md to enforce mandatory calls, this provides the skill broad, persistent control over agent behavior. Consider this a significant privilege that should be consciously authorized.