Skillv1.18.9

ClawScan security

CNB OpenAPI Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 6:59 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with a CNB/OpenAPI wrapper, but its runtime instructions and bundled hooks attempt to force automatic curl execution (without asking the user) and contain prompt-injection style directives — this is risky and worth caution before installing.
Guidance: This skill appears to be a genuine CNB/OpenAPI client (curl + CNB_TOKEN), but it contains instructions that force the agent to execute curl commands automatically and a hook that encourages the agent to choose this skill for CNB-related queries. Before installing: 1) Ensure the CNB_TOKEN you provide has minimal scope (prefer read-only tokens) and consider creating a scoped token specifically for the skill. 2) If you want to avoid automatic calls, disable or review PreToolUse hooks or run the skill only in user-invoked mode — remove or edit the 'must execute' and 'do not ask' lines in SKILL.md so the agent asks for confirmation before network calls. 3) Treat the skill as able to make network requests using your token; do not supply high-privilege credentials unless you trust the endpoint and behavior. 4) If you are unsure, test in a quarantined environment or ask the skill author for an audited version that requires explicit user approval prior to executing any curl commands.
Findings: [system-prompt-override] unexpected: The SKILL.md includes mandatory 'must follow' rules that attempt to alter agent behavior (e.g., '必须实际执行' and '不要询问用户'), which matches the scanner's prompt-override pattern and is not necessary for a benign API doc. This is a red flag.

Review Dimensions

Purpose & Capability: okName, README, SKILL.md and the many reference files consistently describe a full CNB OpenAPI client. Requiring curl and CNB_TOKEN is proportionate to the stated purpose of making authenticated API calls. The large references folder matches the claimed full API coverage.
Instruction Scope: concernSKILL.md contains explicit 'must follow' rules that coerce the agent to always execute curl via exec_command, to never ask the user for permission, and to avoid other fetching tools. That is prompt-injection‑style behavior (it instructs the agent to change its normal consent/behaviour) and grants the skill broad discretion to perform network calls autonomously. While fetching API endpoints is expected, the mandatory 'do not ask' and 'must execute' directives are scope creep and a security risk.
Install Mechanism: okInstruction-only skill with no install spec and no code files to run or pull at install time. This is low-risk from an installation/download standpoint.
Credentials: okOnly CNB_TOKEN (and optional CNB_API_ENDPOINT) are requested, which aligns with calling an authenticated REST API. No unrelated secrets or config paths are requested. Recommend using a token with minimal (read-only) scope where possible.
Persistence & Privilege: concernalways:false and no install means it is not force-included, but hooks/hooks.json defines a PreToolUse matcher that primes the agent to pick this skill for relevant prompts. Combined with SKILL.md's 'do not ask, just execute' rule and default autonomous invocation (disable-model-invocation: false), the skill can be triggered and make API calls without explicit user confirmation. That combination increases risk.