Skillv1.0.0

ClawScan security

Agent Skills For Context Engineering · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 10:47 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a coherent, instruction-first collection of context-engineering guidance and example scripts whose requested footprint (no env vars, no installers) matches its stated purpose, but reviewers should inspect the long SKILL.md and bundled scripts before enabling file-read or execution capabilities because prompt-injection patterns and broad filesystem guidance were detected.
Guidance: This collection appears to be what it says: documentation and example scripts for context engineering. Because SKILL.md content references reading files and operating on filesystem context, only enable it for agents that you trust and that run in sandboxes with limited file access. Before installing or running any included scripts: (1) manually inspect SKILL.md and the example scripts for any literal 'override' directives or hidden characters; (2) do not grant file-read, network, or execution permissions to the skill unless you reviewed the code; (3) prefer installing individual skill SKILL.md files rather than the entire bundle if you only need one topic; and (4) in production, run the examples in isolated sandboxes and apply least privilege to the agent's toolset. If you want extra assurance, provide the SKILL.md and any scripts to a developer for a quick code audit before enabling autonomous agent invocation.
Findings: [ignore-previous-instructions] unexpected: SKILL.md contains text that matched an 'ignore previous instructions' pattern. In a repository explaining prompt engineering or defensive patterns this could be an explanatory example, but the phrase patterns are high-risk if loaded and executed literally by an agent. Manual review recommended. [system-prompt-override] unexpected: A system-prompt-override pattern was detected in SKILL.md content. The skill discusses system instructions and prompt design; however, wording that resembles a prompt override is potentially dangerous if the agent runtime treats skill text as high-priority system instructions. Verify the SKILL.md does not contain directives that would change agent control flow or bypass safety checks. [unicode-control-chars] unexpected: Unicode control characters were detected in the SKILL.md (a common technique used in prompt-injection obfuscation). This may be an editorial artifact or benign formatting, but it can also be used to hide malicious directives. Inspect the raw file for hidden characters before trusting automated parsing or executing any scripts that import these SKILL.md contents as code or prompts.

Review Dimensions

Purpose & Capability: okThe name/description (Agent Skills for Context Engineering) match the repository contents: a collection of SKILL.md files, extensive documentation, and example scripts for building agent systems. There are no required env vars or binaries declared, and the included scripts/examples are consistent with a learning/reference collection for context engineering and multi-agent patterns.
Instruction Scope: noteThe SKILL.md explicitly recommends filesystem-based patterns and mentions commands/tools like ls, glob, grep, and read_file. That is appropriate for a 'filesystem-as-memory' skill, but it also grants agents broad discretion to read files if the agent runtime exposes file-read tools. Additionally, static scans detected prompt-injection patterns (ignore-previous-instructions, system-prompt-override, unicode-control-chars) in the SKILL.md; these may be contextual (discussion of prompt injection or instruction handling) but deserve manual review because such phrasing can be abused if an agent automatically executes or trusts skill text as authoritative system prompts.
Install Mechanism: okThere is no install spec (instruction-only skill) and nothing is downloaded or written by default. The README suggests curl/git-based manual retrieval of SKILL.md for single-skill use, which is normal for sharing docs. Because there is no automated download/extract/install step, risk from the installation mechanism itself is low.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The many bundled example scripts mean there is code to inspect, but nothing in the metadata asks for unrelated secrets. Reviewers should still audit any example scripts before executing them because they may perform network access or shell operations when run locally.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable only. It does not declare modifications to other skills or global agent settings. Autonomous agent invocation is allowed by default on the platform, but here that is not compounded by extra persistence privileges.