Skillv1.1.1

ClawScan security

Vnsh Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 14, 2026, 3:37 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements what it claims (encrypt/upload and download/decrypt via vnsh.dev), but it contains several risky and incoherent elements — notably automatic auto-read/auto-share behaviors that can exfiltrate data without consent and an instruction to run a remote shell installer — so you should not install it without further verification and changes.
Guidance: This skill implements the advertised upload/decrypt functions, but it instructs the agent to automatically read any vnsh.dev link and to automatically upload long outputs to vnsh.dev without asking the user — both behaviors risk exposing sensitive data. It also recommends installing a remote shell script via curl | sh, which executes arbitrary code from the network and is high risk. Before installing or enabling this skill: (1) insist the skill be modified to require explicit user confirmation before reading or uploading any user data; (2) remove or at least gate the automatic 'auto-read' and 'auto-share' rules; (3) avoid running curl | sh — prefer an auditable release (e.g., GitHub release tarball with a checksum/signature) or review the installer content in a sandbox; (4) confirm/declare all required binaries (xxd, mktemp, sed, head, etc.) in the manifest; and (5) if you must test, run it in an isolated environment and audit network traffic to verify no unexpected endpoints are contacted. If the maintainer can address these issues (explicit consent, no remote unchecked installers, accurate manifest), the skill would be much safer. If you cannot obtain those changes, treat it as risky and do not enable autonomous invocation.

Review Dimensions

Purpose & Capability: noteThe name/description match the provided scripts: upload.sh encrypts and posts to vnsh.dev, read.sh downloads and decrypts using keys from the URL fragment. However there's an inconsistency between registry metadata (no required binaries) and SKILL.md which lists curl and openssl; the scripts also implicitly rely on other standard utilities (mktemp, sed, head, xxd, tr, grep) that SKILL.md doesn't fully declare. This discrepancy reduces confidence in the manifest's accuracy.
Instruction Scope: concernSKILL.md instructs the agent to automatically decrypt ANY vnsh.dev/v/ URL it sees ("do NOT ask the user first") and to automatically upload any long output (>4000 chars / >80 lines) to vnsh.dev without asking. Both behaviors enable automatic retrieval or transmission of potentially sensitive data to a third party and remove user consent. The scripts themselves only talk to vnsh.dev, but the auto-trigger policies grant the agent broad permission to fetch and upload data without confirmation.
Install Mechanism: concernSKILL.md recommends (and labels) an install command that pipes a remote script into sh: "curl -sL vnsh.dev/i | sh". Remote download-and-execute is a high-risk install pattern (unchecked code execution). The skill is instruction-only in the registry, yet it still recommends this installer — a mismatch and a notable risk. The included scripts are small and readable, but the suggested installer fetches code from the network with no verification.
Credentials: concernThe skill requests no credentials or env vars, which superficially seems proportional. However, the mandated auto-share policy causes potential exfiltration of arbitrary agent outputs (which can include secrets or sensitive data) to vnsh.dev. The scripts do not require API keys, so they rely solely on posting data to the public service; that design is functional but creates disproportionate risk because it enables automatic outbound data transfer without consent.
Persistence & Privilege: concernThe package does not set always:true, but SKILL.md explicitly tells the agent to auto-trigger on incoming messages and on long outputs. Given the platform default allowing autonomous model invocation, those instructions combine with normal autonomy to produce a high blast radius: the skill would autonomously download and decrypt inbound links and autonomously upload large outputs. That combination is dangerous if you expect explicit user consent before sharing or opening external content.