Skillv0.4.1

ClawScan security

Roundtable · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 11:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, files, and requirements are coherent with its stated purpose (a 3-role multi-agent council); it requires no installs or credentials — main practical risk is persistent session logging of user queries if enabled.
Guidance: This skill appears to do what it says and does not request credentials or install code. Before installing or running it, consider: 1) Logging: the setup defaults include session logging to memory/roundtable/. If you or your users may submit sensitive data, choose 'No logging' during setup or ensure the workspace memory storage meets your privacy requirements. 2) Config file: the wizard writes config.json into the skill directory after confirmation — review its contents before enabling features like round2 or max_budget. 3) Web/tooling: the Scholar role mentions web results; if the host agent has browsing or external connectors, those tools and their credentials are outside this skill — ensure those integrations are controlled. 4) Cost and data exposure: multi-agent runs multiply model calls; avoid sending secrets in queries. If these items are acceptable, the skill is coherent and can be used; if you need stronger guarantees, disable logging and review the saved config/logs after setup.

Review Dimensions

Purpose & Capability: okName/description, README, and SKILL.md align: the skill orchestrates three specialist sub-agents (Scholar/Engineer/Muse), supports model/preset/config options, and optionally logs sessions. There are no unrelated required binaries, environment variables, or external service credentials requested that would be inconsistent with a debating/multi-agent skill.
Instruction Scope: noteSKILL.md stays within the declared purpose: parsing commands, dispatching role-specific prompts, optional Round 2, and synthesizing results. It explicitly treats user query text as untrusted and prescribes a safe wrapper pattern to mitigate prompt-injection. Notable: the setup writes a config.json into the skill directory and (if enabled) saves session logs under memory/roundtable/; these are legitimate for auditing but mean user query contents (which can include sensitive info) may be persisted. The doc references web results and Scholar verification, but does not declare or require specific web/search credentials — this is plausible (uses host agent tools) but worth being aware of.
Install Mechanism: okInstruction-only skill with no install spec and no code files to execute. This minimizes disk-written third-party code and reduces installation risk.
Credentials: noteThe skill requests no environment variables, credentials, or unusual config paths — proportional to its purpose. The only persistent artifacts are config.json (written to the skill directory after explicit user confirmation) and optional session logs at memory/roundtable/, which may store user data; this persistence is the only notable privilege relative to environment access.
Persistence & Privilege: notealways:false (no forced inclusion) and autonomous invocation is the platform default. The skill will write its own config.json in its skill directory and may write session logs to memory/roundtable/ if the user enables logging. Those writes are scoped and explicitly restricted in SKILL.md (fixed log_path), which is better than arbitrary paths, but they do create persistent storage of user queries.