Skillv1.0.0

ClawScan security

Ai C Plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 2:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions ask an agent to read and modify a local project tree, create files, run migrations and make git commits without declaring required tools or clearly limiting what it may touch, which is disproportionate to the metadata provided and risky to run autonomously.
Guidance: This skill will autonomously read and modify a local project tree, create configuration files, run build/test commands and database migrations, and make git commits. Before installing or running it: - Do not run against a production machine or repository. Test in an isolated VM/container or a forked repo. - Ensure backups and database snapshots exist (migrations can change data). Require explicit confirmation before applying migrations to any real DB. - Inspect plan files and the architecture/UI documents it will read (plan/* and docs/architecture/* and /home/adige/AI-C/desing) — these are referenced by absolute paths. Fix the '/desing' typo if necessary. - Verify the environment: the skill expects tools such as git, Node/npm or yarn, Prisma/DB tools, test runners and possibly docker, but it does not declare them. Add checks or declare required binaries and versions. - Confirm that .env files in your workspace do not contain production secrets. The skill will create .env.example files and tries to avoid writing real secrets, but you should still ensure the agent cannot access live credentials. - Prefer changing the skill to ask for explicit per-step user approval for any potentially destructive action (git push, DB migrate, deleting files, prod deploy). - If you plan to proceed, request the maintainer to: (1) declare required binaries and env vars in the metadata, (2) remove hard-coded absolute paths or make them configurable, (3) disable fully-autonomous actions for migrations and commits or require user consent, and (4) add preflight checks that detect and refuse to operate on production remotes/DBs. Given these issues, treat the skill as suspicious until the above inconsistencies are addressed.

Review Dimensions

Purpose & Capability: noteThe declared purpose (automatically execute a project plan from MD/CSV, implement, test, report) is plausible for the instructions. However, the skill does not declare any required binaries, tools, or environment variables even though the runtime instructions explicitly expect git, build/test/lint tooling, Prisma migrations, Node/JS toolchain, and filesystem access under /home/adige/AI-C. This mismatch (no declared binaries/envs despite demanding build/migration steps) is an inconsistency that should be fixed.
Instruction Scope: concernSKILL.md instructs the agent to read and enforce a local architecture doc and UI files at hard-coded absolute paths (e.g., /home/adige/AI-C/docs/..., /home/adige/AI-C/desing and /home/adige/AI-C/progress.json), auto-create folders/files, run database/schema migrations and run lint/test/build commands, and commit changes. These are broad, privileged operations on the user's filesystem and potentially on databases; they go beyond a simple 'read a plan' skill and could have destructive side effects if run against a production database or repository. The SKILL.md also contains a likely-typo path (/desing) which may cause unexpected behavior.
Install Mechanism: noteThis is instruction-only (no install spec), which limits written code risk. However, not declaring required tooling is problematic: the instructions expect runtime tools (git, node/npm/yarn, prisma/migration tooling, test runners, possibly docker) but provide no guidance or checks. That mismatch increases the chance the agent will fail unpredictably or attempt actions assuming tools exist.
Credentials: concernThe skill declares no required environment variables or credentials, yet the ENV POLICY section places heavy emphasis on .env files, creating .env.example files, and using .env to control external services. The skill will read/write .env.example and expects to use DEV_FALLBACK_MODE for missing secrets. This is inconsistent: the skill will interact with secrets/config but does not declare them, and it uses absolute repo paths that may contain sensitive data. Requesting no env vars while instructing access to environment-managed secrets is disproportionate.
Persistence & Privilege: concernThe skill will persist progress to a hard-coded path (/home/adige/AI-C/progress.json), auto-init git if no repo exists, and write files/configs inside the workspace. While it is not 'always: true', its Autopilot Mode explicitly proceeds without per-step user approval (unless blocked). Autonomous execution combined with filesystem writes and DB migrations increases risk—especially because the skill can run schema migrations, commit changes, and modify repo structure without explicit approval.