ClawHub

Capability Scope Expansion Watcher

v1.1.0

Helps detect incremental capability scope expansion across skill versions — the pattern where a skill gradually claims broader permissions through small, ind...

0· 505·1 current·1 all-time
by@andyxinweiminicloud
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (detecting incremental permission drift across versions) aligns with the declared requirements: curl and python3 are reasonable for fetching version metadata and running analysis. However, the SKILL.md includes the line 'Your Skill Started with File Read. Now It Has the Whole Filesystem.' that implies an assumed broad file read capability which is not explicitly declared or scoped.
!
Instruction Scope
SKILL.md describes analyzing per-version manifests, changelogs, and 'environment variable resolution' but does not specify how those artifacts are retrieved or what file paths will be read. The ambiguous header suggesting full filesystem access is especially concerning: instructions permit (or at least assume) reading arbitrary installed-skill files and possibly other configuration files. Without explicit limits, the watcher could be run in ways that read secrets, credentials, or sensitive configs.
Install Mechanism
No install spec and no code files — the skill is instruction-only. This minimizes supply-chain risk (nothing is downloaded or written during install).
Credentials
The skill requests no environment variables (good). But the feature set includes detecting 'environment variable resolution' and 'resolve secrets from environment variables' as analysis targets; it's unclear whether the watcher intends to read runtime environment values on the host. If it does, that would be disproportionate and high-risk. Confirm whether runtime env access or secret reads are required and, if so, why.
Persistence & Privilege
always: false and no install-time persistence specified. The skill does not request permanent presence or modify other skills' configuration per the provided metadata.
What to consider before installing
This skill's goal is reasonable, but the SKILL.md is ambiguous about exactly what files and environment data it will read. Before installing or enabling it: (1) Ask the author to clarify what paths and APIs the watcher will access (e.g., skill manifests only vs. arbitrary /etc or user home files). (2) Confirm it will not read runtime environment variables or secrets unless explicitly authorized; if env reads are required, require a narrow allowlist. (3) Run it in a restricted/sandboxed environment first (no privileged mounts, no secret env injection). (4) Request explicit logging of what files and network endpoints were accessed during a run. (5) Prefer interactive invocation rather than allowing autonomous invocation until the data-access behavior is explicit. These steps reduce the risk of accidental exposure of credentials or sensitive configs.

Like a lobster shell, security has layers — review code before you run it.

latestvk975yre2gkp66y4n3n0tepqzj981v9zs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔭 Clawdis
Binscurl, python3

Comments