Back to skill
Skillv0.0.0-pr-check
ClawScan security
Sm Saver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 2:18 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions generally match its description (saving and summarizing links) but there are a few unexplained/underspecified pieces (an undeclared 'summarize' CLI and an unstated dependency on python3, plus behavior that fetches arbitrary URLs and writes into ~/workspace/resources.md) that merit caution.
- Guidance
- This skill mostly does what it says (extracts links, fetches them, summarizes, and appends to a resources.md file), but before installing or running it consider: 1) Confirm the host environment has the expected tools: xurl, python3, and whatever 'summarize' CLI is intended — ask the skill author which 'summarize' binary/service is required. 2) Be aware the skill will fetch arbitrary URLs you supply (or that someone supplies) and could contact internal network addresses — avoid giving it untrusted or internal links, or run it in a sandbox. 3) It will write to ~/workspace/resources.md; ensure you’re comfortable with automated writes to that path. 4) Verify the provenance/trustworthiness of xurl and the summarizer (is summarization done locally or by a remote API that could receive fetched content?). If you need stronger assurance, request the skill author to: declare python3 and summarize in requires.bins, document the summarize implementation, limit or validate which URLs are fetched, and make the output file path configurable instead of hardcoded.
Review Dimensions
- Purpose & Capability
- noteThe skill name and description match the actions in SKILL.md (extract tweet/LinkedIn content, fetch linked URLs, summarize, append to a resource log). Declaring xurl as a required binary is appropriate for Twitter/X extraction. However the instructions rely on a 'summarize' CLI (used first) and on python3 for a fallback without declaring them as required binaries. Also the skill will write to ~/workspace/resources.md — reasonable for a saver but not declared in metadata as a config path.
- Instruction Scope
- concernInstructions tell the agent to fetch arbitrary URLs (via 'summarize' or a python3 fallback that performs HTTP requests) and to append results to ~/workspace/resources.md. Fetching arbitrary URLs is central to the purpose but carries SSRF/side-channel risk (internal endpoints could be contacted if a user or adversary supplies internal URLs). The agent is explicitly instructed to run arbitrary shell commands (exec tool) using user-supplied URLs; the 'summarize' command is underspecified, so it could be local or call remote services. The file write is explicit and will modify user workspace files — this should be visible to the user and authorized.
- Install Mechanism
- okThere is no install spec and no code files — instruction-only — so nothing will be written to disk by an installer. This is the lower-risk model for skill distribution.
- Credentials
- noteThe skill requests no credentials or environment variables, which aligns with its stated purpose. However it omits declaring python3 and the 'summarize' CLI as required binaries, which is an inconsistency (the fallback uses python3; the primary summarizer is unspecified). No secrets are requested, which is good.
- Persistence & Privilege
- okalways is false and the skill does not request special platform privileges. It will, if invoked, write to ~/workspace/resources.md (its own artifact) but it does not ask to persist credentials or modify other skills/configs.