Skillv1.0.0

ClawScan security

Burp Zap Hardened · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 1:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (query local Burp MCP for proxy/sitemap data) matches the instructions, but the skill operates on very sensitive local data (auth tokens, API keys) and the package does not clearly demonstrate enforced guardrails against exporting or replaying captured credentials — SAFETY.md documents prior weak behavior and proposed fixes, leaving ambiguity about runtime enforcement.
Guidance: This skill is coherent with its stated purpose: it reads Burp MCP proxy and sitemap data and provides patterns to analyze requests (IDs, auth endpoints, etc.). However, proxy history commonly contains sensitive tokens, API keys, cookies and PII. Before installing or enabling this skill: - Confirm that the runtime enforces the SAFETY.md guardrails (only connect to a local MCP endpoint such as http://127.0.0.1:9876; refuse conversational requests to switch MCP endpoints). - Verify the agent redacts credential values in outputs and will not construct or return shell commands that include raw secrets (no building curl/wget commands embedding captured API keys). - Confirm the skill will refuse to replay, forge, or send captured authentication tokens to external endpoints and will keep all captured data within the local Burp environment (use send_to_repeater/send_to_intruder rather than exporting). - Prefer manual invocation for sensitive tasks and test the skill in an isolated environment first. If you can provide a runtime log or show the SKILL.md lines that implement the guardrails, I can raise confidence to high; without that evidence, treat this as potentially risky and verify behavior before use.
Findings: [no_regex_matches] expected: The static/regex scanner reported no findings because this is an instruction-only skill with no code files. That absence is not evidence of safety — runtime behavior depends on how the agent executes the SKILL.md instructions and whether guardrails are enforced.

Review Dimensions

Purpose & Capability: okName and description match the SKILL.md: all shown operations (get_proxy_history, get_sitemap, get_scope, send_to_repeater/intruder, filtering for IDs/auth endpoints) are appropriate for querying Burp's MCP and analyzing proxy history. The skill requests no unrelated binaries, env vars, or config paths.
Instruction Scope: concernThe instructions include patterns and code to extract Authorization headers, IDs, and other sensitive fields and show how to build requests/contexts for testing. While send_to_repeater/send_to_intruder are local Burp actions (appropriate), SKILL.md content and the included SAFETY.md indicate that earlier behavior allowed building curl commands with raw captured credentials and accepting requests to change the MCP endpoint. It's unclear whether the current SKILL.md enforces redaction or prohibits replay/exfiltration; that ambiguity is a security concern because the instructions naturally surface secrets present in Burp's proxy history.
Install Mechanism: okInstruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or written to disk by the package itself.
Credentials: okThe skill declares no environment variables, no credentials, and no config path requirements — this is proportionate to its stated purpose. However, the runtime operations inherently expose sensitive data captured by Burp (tokens, API keys) — this is expected but worth careful handling.
Persistence & Privilege: okSkill is not always-enabled and does not request persistent system-level privileges. Autonomous invocation is allowed by default (platform normal) but not an additional privilege requested by the skill.