Skillv1.0.0

ClawScan security

Token Saving Mastery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 7:37 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's advice on reducing tokens is plausible, but its runtime instructions tell the agent to list and patch other skills and create cron jobs and to export sessions externally — actions that exceed a simple helper and require elevated permissions and caution.
Guidance: This skill contains reasonable token-saving techniques, but it also instructs the agent to list and patch other skills and to create cron jobs and export sessions externally. Before installing or running it: 1) Verify what platform operations (skill editing, session access, cron creation) the agent is allowed to perform and restrict them if possible. 2) Don't allow automatic or background creation of cron jobs without review. 3) Require backups and code review before any skill_manage patch operations — editing other skills can break behavior or remove important content. 4) Avoid providing external-service tokens (Notion, etc.) unless you trust the workflow and audit exports. 5) Test in a sandbox account first and check activity logs for any edits or exports. If you cannot confirm who authored the skill or cannot limit its permissions, treat it cautiously or decline to install.

Review Dimensions

Purpose & Capability: concernName/description claim token-saving tips — that matches most instructions. However, the runtime steps explicitly instruct listing all skills and patching other skills' SKILL.md to delete content (via skills_list, skill_manage patch). Editing other skills is not an obvious or low-risk requirement for a 'token-saving tips' helper and implies rights to modify unrelated artifacts.
Instruction Scope: concernSKILL.md tells the agent to call platform operations: session_search, skills_list, skill_view, skill_manage patch, hermes cron create, and to export sessions to external services (Obsidian/Notion). These instructions go beyond passive guidance — they direct programmatic modification of other skills and creation of background cron jobs, and recommend moving user conversation data to external endpoints. That broad scope could lead to unintended data exposure or destructive edits.
Install Mechanism: okInstruction-only skill with no install spec or code files — nothing is written to disk by the skill itself. This is the lowest install risk.
Credentials: concernThe skill requires no declared env vars or credentials, yet recommends exporting sessions to external services (Notion) and creating cron jobs that may need tokens or connectors. Also it presumes the ability to view and patch other skills and access session histories. The required permissions implied by the instructions are not declared or justified.
Persistence & Privilege: concernWhile always:false and no automatic install, the instructions explicitly instruct creating persistent cron tasks (hermes cron create) and editing other skills' prompts — both introduce persistent, system-wide effects. That increases blast radius if the agent is allowed to act autonomously or if cron prompts contain sensitive data.