Skillv2.1.1

ClawScan security

Ravi secrets · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 5:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (an encrypted key-value secret store) matches its commands, but the SKILL.md assumes a 'ravi' CLI, parsing tools, and an authentication model that are not declared or explained, which is inconsistent and could lead to secret exposure.
Guidance: This skill claims to be a secrets store but doesn't declare the 'ravi' CLI, jq, or any authentication details. Before installing or using it: (1) ask the author for the CLI's source/release URL and an install method so you can verify the binary; (2) confirm how the CLI authenticates (what credential or login is required) and ensure that credential is scoped and stored securely; (3) be aware the documented outputs show plaintext secret values (including in list), which can leak to logs, shell history, or other tools—only use in environments where that risk is acceptable; (4) avoid storing high-risk secrets until provenance and auth are clear. If the author cannot provide a repository, homepage, or clear auth/install instructions, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe name/description and runtime instructions consistently describe a secrets store (set/get/list/delete). However the SKILL.md assumes a 'ravi' CLI exists and returns plaintext secret values, yet the skill metadata lists no required binaries, no install spec, and no authentication/credential requirements. That mismatch (expecting a CLI and a live server with auth but declaring none) is unexplained and disproportionate.
Instruction Scope: concernInstructions are narrowly scoped to secret management commands, but they explicitly show the CLI returning plaintext secret values (even in list output) and recommend populating environment variables (e.g. API_KEY=$(ravi secrets get ...)). Those patterns increase the chance of secrets ending up in agent logs, shell history, or environment. The doc also uses 'jq' for parsing but does not declare that as a dependency.
Install Mechanism: noteNo install specification is provided (instruction-only), which by itself is low risk. However the SKILL.md presumes a 'ravi' binary and parsing tools (jq) are present on PATH without declaring them or showing how to install them. The lack of provenance (no homepage, no source repo) prevents verifying the CLI's origin.
Credentials: concernThe skill requests no environment variables or primary credential in metadata, yet the documented commands imply communication with a server and an authentication mechanism. The instructions demonstrate storing highly sensitive items (API keys) and returning them in plaintext; metadata should have declared how the agent authenticates and what credentials are required. Absence of those declarations is disproportionate to the stated purpose and increases risk of misconfiguration or inadvertent exfiltration.
Persistence & Privilege: okThe skill is not force-installed (always: false) and is user-invocable. It allows autonomous invocation (disable-model-invocation: false), which is the platform default. There is no install-time persistence or other privileges requested in the metadata.