Skillv1.0.0

ClawScan security

Agent Synthesizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 7:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (install/configure a specific GitHub project) matches its instructions, but those instructions blindly instruct the agent to follow and run whatever the repository README prescribes—giving the agent potential to execute arbitrary, unvetted commands on the host or request secrets that the skill does not declare.
Guidance: This skill is coherent in purpose (it points to a specific GitHub repo and tells the agent to follow that repo's README), but it's risky because it gives the agent authority to run whatever commands the remote README asks for without listing them. Before installing or enabling this skill, review the repository README yourself and verify every install/validation command; do not allow the agent to run commands autonomously until you have manually inspected them. Recommended precautions: (1) open the repo and paste here the exact install/test commands the README prescribes so they can be reviewed; (2) run the setup in an isolated environment (container, VM, or disposable machine) rather than your primary system; (3) ensure any required credentials are provided only after you confirm why they are needed; (4) ask the skill author to enumerate required env vars and commands in the SKILL.md so the agent's actions are auditable; (5) if you allow autonomous execution, restrict it to non-privileged contexts and require explicit user confirmation for commands that modify the system or request credentials. Providing the README contents or a list of the README's commands would raise confidence and could change this rating to benign.

Review Dimensions

Purpose & Capability: okThe name/description claim to enable and configure the 'agent-synth' project and the SKILL.md points explicitly to the GitHub repository; there are no unrelated dependencies or environment claims in the skill manifest, so purpose and declared capability align.
Instruction Scope: concernThe SKILL.md requires the agent to 'follow the README exactly' and to run the README's installation/validation commands. That gives the agent broad authority to run arbitrary commands, install software, download archives, or read/write files per the remote README. The skill does not vet or enumerate what those commands are, so the agent could be instructed to perform actions outside the user's intent or to access secrets/files not declared by the skill.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes immediate on-disk installs from the skill itself. However, because the instructions defer to an external README, the actual install mechanism (curl|bash, package managers, downloads) is determined by that repository and is not disclosed here—this is a gap between what the skill declares and what it may cause to happen.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate for an instruction-only helper. But the referenced README may request credentials, tokens, or environment configuration; because the skill forbids none and does not enumerate them, there's a potential mismatch between declared requirements and real runtime needs.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges in its manifest. Autonomous invocation is permitted (default), which is normal, but combined with the instruction to 'follow the README exactly' it could enable the agent to run unvetted external commands if the agent is allowed to act autonomously—this increases potential risk but is not itself a manifest misconfiguration.