Skillv1.3.24

ClawScan security

Offline Airport Lounge Finder - Comparison Map · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 21, 2026, 4:31 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, install steps, and runtime instructions are coherent with an offline lounge catalog — npm dependency installation is the only network step and otherwise it runs locally against the bundled JSON snapshot.
Guidance: This bundle appears internally consistent for offline use, but take these precautions before installing: 1) Inspect the raw SKILL.md and other text files for hidden unicode/control characters (scanner flagged this). 2) Review package.json and any lockfile; run npm install in a controlled/isolated environment (air-gapped build host or sandbox) to reduce supply-chain risk. 3) Confirm you will start the server locally (node scripts/run-offline-mcp.mjs) and do not enable outbound network access at runtime if you need an air-gapped workflow. 4) Verify that assets/catalog.json contains only the expected static data. If you need higher assurance, ask the publisher for the package checksums or a signed release and/or run npm install using an allowlist or offline cache.
Findings: [unicode-control-chars] unexpected: A prompt-injection pattern scanner flagged unicode control characters in SKILL.md. Nothing else in the code appears to perform injection or exfiltration, but hidden/control characters in guidance files can be used to try to influence parsers or LLMs. Manual inspection of the raw SKILL.md (and any transport of this file) is recommended to confirm there are no hidden characters.

Review Dimensions

Purpose & Capability: okName/description match what is implemented: a local stdio MCP server that serves the bundled assets/catalog.json. Required binaries (node, npm) and the @modelcontextprotocol/sdk dependency are consistent with the stated MCP runtime.
Instruction Scope: noteSKILL.md explicitly constrains runtime to offline read-only use and shows commands to run the local server only. One important operator step (npm install) pulls packages from the network at install time; runtime code itself reads only bundled assets and exposes local MCP tools/resources. Reviewers should confirm that the runtime is not run with network access if an air-gapped environment is required.
Install Mechanism: noteInstall uses npm to fetch @modelcontextprotocol/sdk (and zod per docs). Using npm is expected for a Node-based MCP server but has typical supply-chain risk: operator must run npm install (network) before using the bundle. No arbitrary URL downloads or extracted archives were found.
Credentials: okThe skill requests no environment variables, no credentials, and no special config paths. This is proportionate to an offline catalog reader.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and does not persist agent-wide configuration. It runs as a local process started by the operator.