Skillv1.0.0

ClawScan security

360Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 9:03 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: 360Guard's purpose and included scanner scripts mostly match (it's a security-vetting tool), but there are implementation issues and a prompt-injection signal that don't align with a trustworthy vetting tool and warrant manual review before use.
Guidance: This skill is a scanner and generally does what it says, but I found two things to worry about: (1) the Node scanner excludes a 'scripts' directory from scanning, which could hide malicious scripts from its own checks — that contradicts 'comprehensive' scanning and should be fixed or at least documented; (2) SKILL.md contains unicode control characters (prompt-injection signal) — inspect and remove them or ask the publisher why they're present. Before running 360Guard on untrusted Skills, do these steps: run it on a copy of the target in an isolated environment (container or VM), manually inspect the target's scripts/ and any files the scanner would skip, examine scripts/scanner.cjs and the bash scripts to ensure they are benign, and avoid scanning targets that contain sensitive credentials unless done in a fully controlled sandbox. If the author or source is known and you can confirm the control chars are benign and the 'scripts' exclusion is intended and documented, this assessment would move toward benign.
Findings: [unicode-control-chars] unexpected: Control/unicode-invisible characters were detected inside SKILL.md. A vetting tool shouldn't include prompt-injection characters in its own instructions; this may be accidental (copy/paste) but could also be an attempt to manipulate automated readers. Recommend inspecting SKILL.md for hidden control characters and removing them or asking the author for clarification.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, and included scripts (Node scanner + quick/full bash scans) are consistent with a 'skill vetter' — it performs static pattern checks and produces reports. However, the Node scanner intentionally excludes a 'scripts' directory (EXCLUDE_DIRS includes 'scripts'), which is surprising for a scanner because many malicious behaviors live in script directories; this exclusion undermines the stated goal of comprehensive scanning and is disproportionate to the purpose.
Instruction Scope: concernSKILL.md instructs running the provided quick/full scans and the Node scanner against target Skill folders (expected). But a pre-scan detected unicode-control-chars in SKILL.md (prompt-injection pattern), which is suspicious and could indicate an attempt to influence or confuse automated evaluators or viewers. The scripts read files under the target path and write a report into the same scanned directory (360guard-report-*.txt) — writing reports is expected, but running these tools on untrusted code should be done in a sandbox. The scanner's pattern list includes process.env and credential regexes to detect sensitive access (expected), but the exclusion of 'scripts' can create blind spots.
Install Mechanism: okNo install spec is present (instruction-only with shipped scripts). That is lower risk than arbitrary remote downloads. The skill ships local scripts rather than pulling code at install time, so nothing is downloaded from unknown URLs during installation.
Credentials: okThe skill declares no required environment variables or credentials, and its scanners only look for sensitive patterns in target code rather than requesting secrets. There is no disproportionate credential request. (Be aware the scanner flags process.env usages when scanning other code — that's normal for a vetter.)
Persistence & Privilege: okThe skill does not request persistent presence (always: false) and does not modify other skills' configs. It will create report files in the scanned directory, which is reasonable for a scanner, but you should run it in a sandbox when scanning untrusted packages.