Skillv1.0.3

ClawScan security

WORKSTATION.md - Your Agent's Own Linux Server · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 10:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions plausibly do what it claims (create root-access Linux servers and host sites), but it asks you to install an unverified npm package and to SSH files/commands to unknown remote machines — a combination that warrants caution.
Guidance: This skill tells you to install and run an unverified npm CLI that will create remote root-access servers you do not control. Before installing or using it, verify the npm package and its publisher (check npmjs.org page, package source code, and signatures), and confirm who operates the workstation.md backend and any billing or abuse policies. Never upload private keys or sensitive secrets to these remote machines; create a fresh, disposable SSH keypair for this use and delete it afterward. If you must try it, do so from an isolated environment (container or throwaway VM), inspect the installed package contents, and avoid transferring confidential data or credentials to the provisioned server.

Review Dimensions

Purpose & Capability: noteThe SKILL.md instructions match the advertised capability (provision a server, give root SSH, serve content on https://<name>.workstation.md). However, the skill provides no provenance (no homepage, unknown source) and does not explain billing/ownership or what backend is being used—so it's unclear who operates the hosts and why no cloud credentials are required.
Instruction Scope: concernRuntime instructions tell the agent/user to install a third-party npm CLI, generate/use local SSH keys, create remote root servers, run arbitrary commands as root, and copy files to those servers. Those actions are consistent with the stated purpose but expand the attack surface (remote hosts you do not control, potential exfiltration if secrets/files are copied). The SKILL.md grants broad discretion (run arbitrary commands on newly provisioned root boxes) without documenting limits or safeguards.
Install Mechanism: concernThere is no declared install spec in the skill metadata, yet SKILL.md instructs `npm install -g workstation.md`. Installing an unverified global npm package runs arbitrary code on the local environment and is high risk if the package or its dependencies are malicious or compromised. The skill provides no package provenance, checksum, or official homepage to verify the package.
Credentials: noteThe skill does not request environment variables or credentials, which is reasonable for a hosted service. It does, however, instruct reading/creating SSH keys under ~/.ssh. That is expected for SSH access, but users should avoid uploading private keys or sensitive files to these remote hosts. The lack of any billing/account explanation is unexpected for a service that creates ephemeral root servers.
Persistence & Privilege: okThe skill is not force-included (always:false) and does not request persistent privileges in the agent system. It instructs installing a global npm CLI and generating SSH keys, which are user-level changes but not platform-level privileges. Autonomous invocation is allowed (default) but not an additional red flag here.