Skillv1.0.1

ClawScan security

Skylv Self Healing Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 4:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (diagnose and suggest repairs) but the SKILL.md/code contain ambiguous behaviors (running/auto-applying fixes via child_process, writing pattern files) and a small but important mismatch (Node.js is required but not declared), so review and sandboxing are advised before use.
Guidance: This skill appears to implement what it claims (error pattern matching, suggestions, learning), but it has a few things you should check before installing or running it on production systems: - Node.js requirement: The README and SKILL.md use 'node ...' but the skill metadata does not declare Node as a required binary. Ensure a compatible Node.js runtime (Node 14+) is present. - Confirm whether 'heal' or 'watch' actually execute shell commands: the code imports child_process (exec/execSync). Ask the author or inspect the remaining code to verify whether auto-applied fixes are only printed as suggestions or are executed automatically, and whether user confirmation is required before executing any change. - Run in a sandbox first: because the tool can run monitored commands and may execute fixes, test it in an isolated, non-production environment and with non-privileged accounts. - Review persisted files: it creates .self-heal-patterns.json in the working directory; ensure this file's location and contents are acceptable for your environment. - Ask the maintainer/developer: (1) does heal execute commands or mutate system state? (2) what confirmation UI exists for auto-fixes? (3) will it make any network calls or require credentials in future versions? (4) where are learned patterns stored when run by an automated agent (path and permissions)? If you cannot get clear answers or inspect the full code that performs fixes, treat this skill as untrusted and do not run it with high privileges or against production workloads.

Review Dimensions

Purpose & Capability: noteThe name/description (self-healing agent) aligns with the included code: it parses errors, matches patterns, suggests fixes, and stores learned patterns. However the package omits declaring that Node.js is required even though both README and SKILL.md show usage as 'node self_healing_engine.js' and the code imports Node built-ins. That mismatch (no required binary declared) is an actionable inconsistency.
Instruction Scope: concernSKILL.md instructs running commands like 'watch "node my_agent.js"' and 'heal ...', and the code imports child_process.exec/execSync. The engine is intended to 'auto-apply fixes' when confidence >= 85%; the visible autoFix() returns a fix string but the file is truncated so it is unclear whether fixes are actually executed or just suggested. Because the code can run commands (watching a command, child_process present) this grants the skill the ability to execute arbitrary shell commands — coherent with the stated purpose but risky and underspecified (no explicit confirmation flow shown in the visible code). The skill also writes .self-heal-patterns.json to the working directory.
Install Mechanism: okThere is no remote install/download step (instruction-only + included JS file). That minimizes supply-chain risk of fetching arbitrary code. The code will run locally when invoked, and it will create a patterns file in the working directory; that's expected behavior for this type of tool.
Credentials: okThe skill declares no required environment variables or credentials and the visible code does not access external secrets. It writes a local .self-heal-patterns.json file (persistent data) but does not declare or request unrelated credentials. No network calls are visible in the provided snippet.
Persistence & Privilege: noteThe skill does not request 'always: true' and is user-invocable. It persists learned patterns locally (.self-heal-patterns.json) which is within scope. However autonomous invocation combined with the skill's ability to run commands (if configured to run without interactive confirmation) increases blast radius — the SKILL.md's claim 'Never applies destructive fixes without confirmation' is not verifiable from the truncated code.