Back to skill
Skillv1.0.0
ClawScan security
浅草寺.skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 14, 2026, 5:37 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill purports to be a simple, local ritual omikuji experience but its included script downloads and executes code and data from a remote GitHub URL at runtime, which is disproportionate and risky.
- Guidance
- This skill contains a local helper that downloads and executes code and data from a remote GitHub raw URL at runtime. That means the behavior can change after you install it and the remote content could be malicious. Before installing: (1) ask the author to vendor the script and data into the skill package (no runtime downloads), or provide a fixed, signed commit hash/URL rather than raw master/main; (2) inspect the remote repository contents and history yourself; (3) if you must run it, do so in a tightly sandboxed environment or VM with no access to sensitive credentials or networks; (4) prefer skills that are self-contained or whose remote downloads are from a pinned, auditable release. If you are not comfortable with remote code execution, do not install/use this skill.
Review Dimensions
- Purpose & Capability
- concernThe skill is a lightweight ritual/fortune-telling UI and claims to use a bundled 1-100 fortune set, yet the included runtime helper (scripts/draw_omikuji.py) reaches out to raw.githubusercontent.com to fetch another script and JSON data and then executes that downloaded script. A self-contained omikuji skill should not need to fetch and run remote code; this behavior does not match the stated purpose and suggests unnecessary remote dependency.
- Instruction Scope
- concernSKILL.md instructs the agent to run python3 scripts/draw_omikuji.py but does not disclose that that script will perform network fetches and execute the downloaded script. The runtime instructions therefore omit a high-impact action (downloading+executing remote code), expanding scope beyond the described local experience.
- Install Mechanism
- concernThere is no install spec, but the included script programmatically downloads two resources from a raw GitHub URL and then runs the fetched script via runpy.run_path. Downloading and executing remote code at runtime is high risk (content can change on the remote repo) even though the host is GitHub raw; this is effectively a remote code execution bootstrap.
- Credentials
- noteThe skill declares no required env vars or credentials, which is appropriate. However, it performs outbound network access (HTTP GET to GitHub raw URLs) without declaring this behavior—network access isn't a credential, but it is relevant to proportionality and threat surface.
- Persistence & Privilege
- okThe skill does not request always: true and does not modify agent-wide configuration. It writes temporary files and executes code in a temp directory but does not request persistent system privileges. Note: the platform default allows autonomous invocation; combined with remote code execution this increases potential impact.