Skillv2.0.0

ClawScan security

aiclone · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 1:28 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (export/import AI robot configs) is coherent with its files and instructions, but the implementation contains several logic bugs and subtle correctness issues that could weaken the stated security protections — treat as untrusted until reviewed and tested in an isolated environment.
Guidance: This skill appears to do exactly what it says (packaging and unpacking local AI workspace files), but don't treat the 'hardened' label as proof of safety — the code has correctness bugs that could weaken protection for sensitive files. Before installing or running on real data: 1) Review and test the script in an isolated environment (VM/container) with representative malicious ZIPs to validate verify behavior; 2) Inspect and/or fix is_path_safe and should_exclude logic (see below); 3) Do not use --keep-paths or import production workspaces until you confirm exclusions work; 4) Always run verify and --preview and keep backups of target directories; 5) Consider adding blocking behavior for suspicious executable files instead of mere warnings. Specific implementation issues to examine or fix: - is_path_safe uses path_str.split(os.sep) which may fail to detect '..' in ZIP entries (ZIP names use '/' regardless of OS); normalization checks are present but platform differences could matter. - should_exclude has flawed pattern matching (some branches unreachable or compare lower/upper inconsistently), which can cause exclude patterns to be ignored. - SENSITIVE_PATTERNS and wildcard handling logic is inconsistent and may fail to exclude files containing keywords. - validate_zip_package prints warnings for .sh/.exe but does not reject them; verify may therefore accept archives containing scripts. - The script uses input() confirmation which can hang in non-interactive automation; use --force with caution. If you lack the ability to audit or test the code, treat the package as untrusted and avoid importing into production systems.

Review Dimensions

Purpose & Capability: okName/description, README, SKILL.md and scripts/clone_robot.py all describe the same functionality (export/import workspace configs into ZIP packages with safety checks). No unrelated credentials, binaries, or external network calls are requested. The required artifacts align with the stated purpose.
Instruction Scope: concernSKILL.md instructs the agent and user to export/import/verify local workspace ZIPs only (no network exfiltration). However, the implementation of safety checks has bugs that undermine the claimed protections: is_path_safe and should_exclude contain logic issues (see details below) that may allow sensitive files or path-traversal patterns to slip through; verify prints warnings for suspicious executables but does not block them. The script also uses input() for confirmation which will block in non-interactive automation unless --force is used.
Install Mechanism: okNo install mechanism is provided (instruction-only with included script). Nothing is downloaded or installed by the skill bundle itself, which minimizes supply-chain risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The README references that API keys should be reconfigured after cloning (informational), but the skill itself does not request unrelated secrets.
Persistence & Privilege: okalways is false, no persistent or privileged platform hooks are requested. The skill reads and writes only local files under user-specified paths and uses temporary directories for packaging.