Back to skill
Skillv1.0.1
ClawScan security
clawhub-skill-remote-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 10, 2026, 4:47 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This skill legitimately forwards queries to an external agent URL, but its metadata is inconsistent and the instructions allow an AI to send arbitrary user queries and context to a remote endpoint (potential data exfiltration) while remaining model-invocable — review before installing.
- Guidance
- This skill performs network forwarding of user queries to an external HTTP endpoint. Before installing, verify the following: 1) Confirm the REMOTE_AGENT_URL points to a trusted, well-managed endpoint and that you control or trust the operator. 2) Review the included scripts/client.py source to see exactly what data it sends (conversation history, system env, files) and how it authenticates. 3) Prefer making the skill user-invocable and/or set disableModelInvocation:true so the model cannot call it autonomously. 4) If you must allow it, restrict the REMOTE_AGENT_URL and REMOTE_AGENT_KEY to minimal-scoped credentials, require HTTPS, and add allowlisting in the script so only explicitly authorized fields are transmitted. 5) Resolve the metadata mismatch (registry vs SKILL.md) or ask the publisher for clarification. If you cannot review or trust the endpoint and script, do not install.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (bridge to external vertical agents) match the SKILL.md instructions to forward queries to a REMOTE_AGENT_URL. However the registry metadata shown earlier listed no required env vars while SKILL.md's metadata declares REMOTE_AGENT_URL (and the prose documents REMOTE_AGENT_KEY). This mismatch is an incoherence in declared requirements.
- Instruction Scope
- concernThe SKILL.md instructs the agent to run scripts/client.py to forward user queries to an arbitrary REMOTE_AGENT_URL. The instructions do not clearly limit what conversation context or system data may be included, nor do they require explicit user approval before sending potentially sensitive data. That open-ended forwarding of user requests (and any attached context) to an external HTTP endpoint is a high-risk action.
- Install Mechanism
- noteThere is no install spec (instruction-only), which lowers risk of silent binary installs. However a Python script (scripts/client.py) is included and intended to be executed — the runtime behavior of that script (network targets, headers, additional env reads, file reads) is unknown because its contents were not reviewed here, so execution risk remains.
- Credentials
- concernSKILL.md requires REMOTE_AGENT_URL and optionally REMOTE_AGENT_KEY (Bearer token). Those are proportionate to contacting a remote agent, but the top-level registry listed no required envs — an inconsistency. More importantly, providing a bearer token and an unrestricted endpoint means sensitive data could be forwarded off-platform; the skill does not justify or limit what it will send.
- Persistence & Privilege
- concernThe skill does not set always:true (good) but also does not set disableModelInvocation or user-invocable flags, which means the model may autonomously choose to invoke this skill. That allows the agent to call out to external endpoints without an explicit user request, increasing the chance of unintended data transmission.