Skillv2.1.1

ClawScan security

Ravi ravi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 8, 2026, 5:47 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match an identity/secrets service, but the bundle omits declaring the required CLI/config paths and endorses sending plaintext secrets and feedback to the vendor — these mismatches and high privileges are concerning.
Guidance: This skill is not obviously malicious, but it has several red flags you should consider before installing: 1) It expects a 'ravi' CLI and a local config at ~/.ravi/config.json but the manifest does not declare these requirements or how to obtain/verify the CLI. Verify the vendor/source and installation instructions before installing any binaries. 2) The skill gives agents access to real inboxes, phone numbers, OTPs, and a secret store — ensure you really want an agent to manage or forward credentials. 3) The SKILL.md encourages sending feedback to feedback@ravi.id; avoid including secrets, OTPs, or API keys in feedback messages. 4) If you enable agent autonomy, consider disabling autonomous invocation for this skill (or restrict its use) so it cannot perform signups, read OTPs, or exfiltrate secrets without explicit human approval. 5) Ask the publisher for a clear install source, a signed binary or package, and documentation describing how credentials are stored and protected; inspect ~/.ravi/config.json after onboarding to understand what keys are stored locally. If you cannot validate the CLI source or you do not accept the data-exposure risks, do not install or enable autonomous use of this skill.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a CLI-based identity/secrets provider (email, phone, OTP handling, encrypted secret store) which is coherent with the skill's description, but the package metadata lists no required binaries or config paths. The instructions assume a 'ravi' CLI is present and that keys are stored at ~/.ravi/config.json; those requirements should be declared in the skill manifest but are not.
Instruction Scope: concernInstructions direct the agent to perform high-impact actions: onboarding via `ravi auth login`, create/read OTPs and emails, perform end-to-end signups/logins, and store or retrieve API keys and secrets. They also encourage always sending feedback to feedback@ravi.id. That feedback step can lead to sensitive data being transmitted to the vendor if not explicitly sanitized. The scope is broad and could enable credential/OTP exfiltration if abused.
Install Mechanism: noteThis is instruction-only (no install spec), which limits on-disk modifications by the skill itself. However, the SKILL.md requires an external 'ravi' CLI/tool that is not provided or referenced by a vetted install source; the skill does not document how that binary should be obtained or verified.
Credentials: concernThe manifest requests no env vars, but the instructions explicitly tell the agent to store and retrieve other services' API keys (example: OPENAI_API_KEY) and to send/receive plaintext secrets to the Ravi service. The skill grants access to highly sensitive assets (inboxes, OTPs, secret store) yet declares no primary credential or configuration path — a mismatch and a high-privilege capability that should be justified and minimized.
Persistence & Privilege: concernalways:false (good), but the skill allows autonomous invocation (disable-model-invocation:false) while exposing high privileges (identity, OTPs, secrets). Autonomous use combined with broad secret-handling capabilities increases risk; the manifest does not limit or document safe usage boundaries or vendor verification steps.