Skillv1.0.0

ClawScan security

SkillWiki · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 4:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (fetch and analyze ClawHub skills) matches its code, but it forces network downloads from an unexpected host and instructs the agent to always trust the remote copy instead of local files — an incoherent trust model that raises supply‑chain and exfiltration concerns.
Guidance: This skill is designed to fetch and analyze remote skill packages, which is coherent, but it forces you to rely on a remote copy from a non-obvious host. Before installing or running it: (1) verify the CLAWHUB_DOWNLOAD_URL points to an official ClawHub API/domain you trust (edit skillwiki.ini if necessary); (2) inspect scripts/fetch_skill.py yourself to confirm no unexpected network endpoints or exfiltration logic; (3) consider running the script in an isolated environment (no sensitive creds, limited network access) and review the downloaded JSON before asking the agent to analyze it; (4) prefer reading the local skill files directly if you suspect the remote source is untrusted. If you cannot confirm the download host is legitimate, treat the skill as untrusted.
Findings: [external_download_host] unexpected: skillwiki.ini's CLAWHUB_DOWNLOAD_URL points to https://wry-manatee-359.convex.site/api/v1/download?slug= rather than an obviously official ClawHub domain; a fetcher claiming to download 'from ClawHub' would normally reference the official ClawHub API or domain. [network_zip_extract] expected: fetch_skill.py downloads a skill package (via urllib.request) and extracts it (zipfile). This behavior is consistent with a tool designed to fetch and inspect remote skill packages. [writes_config] expected: The script includes functions to read and write a local skillwiki.ini (e.g., to set SKILLWIKI_LANG). The SKILL.md also instructs using --config to update language, which explains this behavior.

Review Dimensions

Purpose & Capability: noteSkill name and SKILL.md describe fetching and analyzing ClawHub skills; included scripts (fetch_skill.py) implement downloading, extracting, and summarizing a skill into JSON — this is coherent with the purpose. However, the bundled config points to a non-obvious host (https://wry-manatee-359.convex.site) rather than a clearly identified official ClawHub domain, which is unexpected for a 'ClawHub' fetcher.
Instruction Scope: concernSKILL.md mandates always running scripts/fetch_skill.py and explicitly forbids reading the target skill's local files, directing analysis to the remotely downloaded JSON. That forces reliance on remote data instead of local artifacts and increases risk that the agent will analyze an attacker-controlled package. The instructions also tell the agent to change the local config via --config, which will modify skillwiki.ini.
Install Mechanism: noteNo install spec (instruction-only) — low install-time risk. Runtime behavior, however, performs network downloads and zip extraction (fetch_skill.py uses urllib.request and zipfile). The default download URL in the included config is an unusual third-party host (convex.site), which is not a well-known or obviously official release host.
Credentials: okThe skill does not request credentials or declare required environment variables. The fetch script scans other skills for env var usage but does not itself require secrets. It will, however, write/update skillwiki.ini (SKILLWIKI_LANG) when asked to change language preference.
Persistence & Privilege: okalways:false (no forced always-on). The script may modify its own configuration file in the skill's parent directory but does not request elevated system-wide privileges. No evidence it modifies other skills or global agent settings.