Skillv1.0.0

ClawScan security

Upstream Recon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 12:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and instructions match (it analyzes GitHub repos), but it omits and assumes key runtime requirements (notably the gh CLI and associated GitHub auth), creating an incoherence you should understand before trusting it.
Guidance: This skill appears to do what it claims (analyze a repo's issues/PRs/maintainer behavior), but it assumes the `gh` CLI is installed and will use the agent's GitHub authentication (which could include access to private repos). Before installing or invoking it: ensure you have `gh` installed and understand which GitHub account/token the agent will use; do not run it if you don't want the agent to query private repositories with your credentials. Ask the skill author to update the manifest to declare `gh` as a required binary and to document that it uses the agent's GitHub auth; if you need stricter isolation, run these `gh` queries yourself or in an environment with limited credentials.

Review Dimensions

Purpose & Capability: concernThe skill claims to analyze GitHub repos and its SKILL.md explicitly instructs the agent to use the `gh` CLI for all queries. However, the declared requirements list no required binaries or credentials — a mismatch. A reconnaissance skill reasonably needs `gh` (or equivalent) and access to the user's GitHub auth, so the manifest is incomplete.
Instruction Scope: noteInstructions stay on-purpose (repo metadata, issues, PRs, comments). They instruct reading issue/PR comments and contributor histories using `gh`. They do not tell the agent to read unrelated local files or exfiltrate data. However, they assume the agent may access repository data (public or private) via the user's GitHub credentials without explicitly stating that scope or permission model.
Install Mechanism: okThis is instruction-only with no install spec or code files, so nothing is written to disk by the skill itself. That minimizes install-time risk.
Credentials: noteThe skill declares no required environment variables or primary credential, but runtime use of `gh` will use whatever GitHub auth is configured for the agent (gh auth token or cached session). The skill should have declared the dependency on `gh` and documented that it will use the agent's GitHub credentials; omission is an oversight that affects proportionality and user consent.
Persistence & Privilege: okThe skill is not always-enabled and does not request any persistent system presence or elevated privileges. It does not modify other skills or system settings per the provided files.