Skillv0.0.1

ClawScan security

Improve Skill Bespoke To CodeBase · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 6:34 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (audit and improve other skills against a project) is plausible and mostly consistent with its instructions, but the runtime instructions are vague about what invocation history and other skill artifacts may be read and do not document user consent or scope limits — this creates potential privacy/scope concerns that should be clarified before use.
Guidance: This skill appears coherent for auditing and improving other skills, but before installing: 1) Confirm what data the agent will read — specifically whether it will access invocation history, chat logs, or other user messages. 2) Prefer running it only when you explicitly name the target skill (avoid 'discovery' or auto-invocation modes) to limit scope. 3) Ensure the SKILL.md is extended to specify directories to include/exclude, handling of secrets (do not read .env, secret files, or chat logs unless explicitly permitted), maximum file sizes, and that no data will be sent to external endpoints. 4) If you need to analyze a skill that has produced artifacts, consider running the audit in an isolated workspace or with redaction of sensitive data. 5) Ask the author to add explicit consent and scoping language to SKILL.md (what is OK to read, what must be skipped) and to document any automatic triggers — this will reduce privacy and surprise risks.

Review Dimensions

Purpose & Capability: okName and description align with what the SKILL.md asks the agent to do: read a target skill's SKILL.md and supporting files, scan the current project, and produce prioritized improvement recommendations. Required binaries/env/configs are none, which is proportionate for a read-only analysis/meta-skill.
Instruction Scope: concernThe instructions require reading other skills' SKILL.md, supporting files, the current project codebase, and the 'invocation history' and produced artifacts. Reading a skill's definition and supporting files is justified; however, 'invocation history' and 'produced artifacts' are not scoped or consented in the SKILL.md. The doc also states the droid can be 'Auto-invocable' and 'suggest improvements after observing skill friction' — this grants broad discretion unless constrained. The instructions lack explicit limits (what directories, maximum file sizes, whether secrets or user messages are excluded) and do not state whether any data will be transmitted elsewhere.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This minimizes filesystem/persistence risk — nothing will be downloaded or installed by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportionate to the stated purpose of local analysis and reporting.
Persistence & Privilege: noteSkill metadata shows always: false and disable-model-invocation: false (normal). The SKILL.md's wording about being 'Auto-invocable' and 'suggest improvements after observing skill friction' implies potential background/autonomous triggering. Autonomous invocation is platform-default and not inherently a problem, but because the instructions permit reading invocation history and artifacts, users should be warned and given explicit consent controls.