Skillv0.2.2

ClawScan security

KYC Vault · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 8:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (automated KYC using local files) is plausible, but there are inconsistencies and assumptions about local file access and automation that are not declared in the registry metadata and depend on the agent/platform to enforce user prompts — this mismatch warrants caution.
Guidance: This skill's behavior (reading manifest.json and uploading identity documents) matches its stated purpose, but there are important mismatches and risks you should consider before installing: - The SKILL.md expects the skill/agent to access ~/identity-vault/ and to control a browser to upload files, but the registry metadata did not declare any required config paths or binaries. Ask the publisher or platform: how does the agent obtain permission to access your filesystem and browser? Are the in-chat confirmation prompts enforced by the platform or just guidelines the skill 'should' follow? - The skill will work with highly sensitive personal data (full name, DOB, passport images, etc.). Only use if you are certain the agent/process that executes skills runs locally and does not leak files to external servers. Review the platform's privacy model and logs. - Test first with dummy data: create a fake ~/identity-vault/ and manifest.json containing non-sensitive placeholders and run the flow against a non-production URL to confirm the agent prompts for every file and domain as promised. - Inspect manifest.json and the vault contents yourself before allowing any uploads, and never use this skill until you confirm the platform enforces the explicit confirmation steps (domain confirmation, per-file approval, final submit). If the platform cannot or does not enforce those prompts, do not store real identity documents in ~/identity-vault/ or use this skill. If you want, I can draft questions to ask the skill author or the platform operator to clarify the missing declarations (config paths, required capabilities) and how confirmations are enforced.

Review Dimensions

Purpose & Capability: concernThe skill claims to use a local vault at ~/identity-vault/ and to read manifest.json and user documents to complete KYC flows. However, the registry metadata lists no required config paths or required binaries and no primary credential — yet the SKILL.md explicitly depends on local filesystem access and browser automation to upload files. The skill therefore assumes capabilities (local file access, browser control) that are not declared in the manifest metadata.
Instruction Scope: noteSKILL.md narrowly defines steps, permission prompts, and domain verification, and it insists on asking the user before reading or uploading any file. That is good practice. However, because this is an instruction-only skill with no code, these are just behavioral rules the agent is told to follow — the platform must actually enforce/observe those prompts. The instructions also require reading sensitive local data (personal_info in manifest.json) and performing uploads to external sites, which are high-sensitivity operations and should be treated carefully.
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is automatically downloaded or executed by the skill. The README contains a curl example to fetch a manifest template from raw.githubusercontent.com, but that is a user-run step, not an automated install action.
Credentials: noteThe skill requires no environment variables or external credentials (proportionate). However it requires the user to place highly sensitive documents and personal_info into ~/identity-vault/ (manifest.json). That sensitivity is expected for the stated purpose but is not reflected in the registry's declared config path fields — an inconsistency the user should note.
Persistence & Privilege: okalways is false and there's no indication the skill requests persistent or system-wide privileges. It does not declare modifying other skills or system settings.