Skillv0.1.0

ClawScan security

Writing Style Iterator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 2:11 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (remembering/applying a user's writing style) matches the file-based workflow described, but the instructions ask the agent to read/modify arbitrary user files and auto-commit style changes without declaring required binaries or config paths and without asking the user — this mismatch and the automatic write behavior are concerning.
Guidance: This skill appears to implement a local, git-backed writing-style memory that reads and writes your files and keeps a history. Before installing or enabling it consider: - The skill will create ~/.writing-style-iterator and commit copies of whatever files you let it handle; check and approve this directory and its retention policy. Back up important files first. - The SKILL.md expects git and standard shell tools but the skill metadata doesn't declare them — confirm the runtime environment has the expected tools and that you trust them. - The instructions tell the agent to modify user files without asking ('Don't ask Y/N'). If you want control, require the skill to prompt before writing or limit it to producing suggestions only. - Limit the skill's scope: prefer configuring explicit directories it may operate on (e.g., a project folder) rather than allowing arbitrary absolute paths. - Ask the author (or require an updated skill) to: (1) declare required binaries (git, diff, cp), (2) declare the config path (~/.writing-style-iterator), (3) remove the 'do-not-ask' mandate or make it configurable, and (4) provide a homepage/source and code review so you can inspect how diffs and rule-extraction are implemented. If you cannot get these changes, treat the skill as high-risk: either run it in a restricted environment or do not enable autonomous invocation and require explicit user consent for every file-write operation.

Review Dimensions

Purpose & Capability: concernThe declared purpose (writing-style memory) aligns with the workflow (reading drafts, extracting rules, updating a style file). However, the SKILL.md requires filesystem operations (reading/writing arbitrary user files, creating ~/.writing-style-iterator, committing with git) but the skill metadata declares no required binaries or config paths. The absence of declared requirements (git, cp, diff, bash tools, and the ~/.writing-style-iterator path) is an incoherence.
Instruction Scope: concernThe instructions explicitly tell the agent to read arbitrary absolute user file paths, copy them into a dot-directory, compute diffs, update user files, and auto-commit changes. It also instructs 'Don't ask Y/N. Directly do then notify.' That grants the agent broad discretion to modify user files without explicit per-change consent — scope creep relative to a typical 'suggest edits' assistant and a user-safety risk.
Install Mechanism: noteThis is an instruction-only skill with no install spec (lowest install risk). However, the runtime commands assume git and standard Unix tools are present; the metadata does not declare those as required binaries. The lack of declared runtime dependencies is a mismatch to the instructions and should be fixed.
Credentials: concernNo environment variables or credentials are requested (appropriate). But the skill implicitly requires access to the user's filesystem and a home-dot directory (~/.writing-style-iterator). That required config path is not listed in metadata. Also, the skill makes no distinction between safe/unsafe files — it will operate on any absolute path supplied, which is disproportionate unless constrained or explicitly consented-to by the user.
Persistence & Privilege: concernalways:false is appropriate. Still, the skill's runtime rule to 'automatically activate' for any writing/rewriting request combined with the instruction 'Don't ask Y/N. Directly do' plus the platform default that agents may invoke skills autonomously increases the risk of unexpected automatic file changes. The skill instructs creating persistent local state (a git repo with drafts and style history), which is reasonable for the feature but should be declared and subject to explicit user consent.