Skillv1.0.0

ClawScan security

Feishu Ai Coding Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 3:18 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (managing sub‑agents and installing CLI tools) but the repository contains hardcoded credentials in publish.sh and broad execution/write permissions that are disproportionate and risky.
Guidance: Do not run the repository's publish.sh or any scripts that contain embedded tokens. Before installing or enabling this skill: 1) Remove or sanitize publish.sh (delete the hardcoded CLAW_TOKEN and GITHUB_TOKEN), then rotate any exposed tokens immediately if you control those services; 2) Review and, if needed, restrict the skill's permissions (limit exec/process and read/write scope to only the workspace); 3) If you need to install, run in an isolated/sandbox environment first and avoid running global npm installs as root — prefer using a container; 4) Ask the publisher to remove hardcoded credentials and provide a cleaned release; 5) Consider restricting autoInstall behavior and reducing maxSubagents while you evaluate. The hardcoded tokens are the primary reason this package is suspicious — they could be accidental leaks or a sign of misuse, so treat the package as untrusted until cleaned.
Findings: [hardcoded-credentials] unexpected: publish.sh contains two hardcoded tokens (CLAW_TOKEN and GITHUB_TOKEN) in plain text. These are not required for runtime operation by an end user and should not be present in the distributed skill. [token-in-git-remote-url] unexpected: publish.sh constructs a git remote URL embedding a GitHub token (https://$GITHUB_TOKEN@github.com/...). Embedding credentials in remote URLs is insecure and unexpected for a runtime skill package.

Review Dimensions

Purpose & Capability: noteName/description describe an AI coding assistant that creates and manages sub‑agents and installs coding CLIs. Declared permissions (sessions_spawn, exec, process, read, write) and the SKILL.md instructions (installing CLIs, creating subagents, persisting session history) are overall consistent with that purpose. Requiring global npm installs and ability to run processes is expected for a tool that manages CLI code tools.
Instruction Scope: okSKILL.md instructions focus on tool selection, installation commands (npm install -g ...), creating/managing subagents, and session persistence — all within the stated purpose. The instructions do not direct the agent to read arbitrary host files or exfiltrate data to unexpected external endpoints. They do recommend running global installs and creating files under a workspace, which is expected for this skill.
Install Mechanism: concernNo automatic install spec in registry (instruction-only), but the repository includes npm-based install commands and a publish.sh which performs network operations. The publish.sh contains hardcoded tokens (CLAW_TOKEN and GITHUB_TOKEN) and uses a GitHub URL with an embedded token — this is a high-risk pattern (hardcoded credentials in a script) and is disproportionate to runtime needs of end users. The repository references GitHub and ClawHub which are reasonable, but the publish script's embedded secrets are a clear red flag.
Credentials: concernThe skill declares no required environment variables or credentials for runtime, which matches SKILL.md. However, the publish.sh includes two hardcoded credentials inside the repo (a ClawHub token and a GitHub token). Those credentials are unrelated to normal runtime operation for an end user and indicate either leaked secrets or an attempt to enable automated publishing/pushing from the environment. The skill also requests broad permissions (exec/process/read/write/edit) — reasonable for a coding assistant but worth restricting and auditing before granting.
Persistence & Privilege: notealways is false (good). The skill enables session history persistence and persistent channel bindings in metadata (consistent with SKILL.md) which means it can create persistent sessions when permitted by the platform. Autonomous invocation is allowed by default (disable-model-invocation: false) — normal for skills — but combined with the broad permissions and the hardcoded publish tokens, this increases the blast radius if abused. The skill does not attempt to modify other skills' configuration in the files presented.