Skillv1.0.2

ClawScan security

Income Brain · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 2:00 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions ask the agent to read/write local project files and to research and deploy new SKILL.md files to external platforms, but the package declares no credentials, no install requirements, and gives no safe boundaries — these mismatches make the intent and scope unclear and risky.
Guidance: This skill is internally inconsistent: it tells the agent to read and write specific local project files and to deploy new skills to external platforms, but it declares no credentials or endpoints and gives no safety limits. Before installing, ask the author to: (1) explicitly list the exact endpoints and required API keys and add them to requires.env; (2) explain what is stored in /home/workspace/MoneyMachine/* and why the agent needs filesystem access; (3) provide safe testing controls and sandboxing (so generated code is not auto-deployed); and (4) restrict the paths the skill may read/write. If you proceed, run it in a tightly permissioned sandbox with no access to sensitive credentials, and require manual approval for any network deployments or creation of new skills.

Review Dimensions

Purpose & Capability: concernThe name/description claim a self-improving, deployment-capable agent. The SKILL.md indeed instructs scanning a local demand_matrix.json, generating SKILL.md files, and deploying them to external endpoints (ClawHub, OpenCollab, x402). However the skill declares no required credentials, no endpoint URLs, and no install/runtime dependencies — deploying across platforms normally requires API keys/credentials. The required local paths for reading/writing are also broader than the description justifies.
Instruction Scope: concernRuntime instructions explicitly tell the agent to read /home/workspace/MoneyMachine/data/demand_matrix.json and to save outputs to /home/workspace/MoneyMachine/services/, to 'research each skill by searching real websites', and to 'deploy to ClawHub, OpenCollab, and x402 endpoints'. These are broad file-system accesses and network actions. The SKILL.md gives no limits on what to read, how to test, or which credentials/endpoints to use — that grants the agent wide discretion to access local files and external services.
Install Mechanism: okNo install spec and no code files are provided, so nothing will be automatically downloaded or written by an installer. That reduces install-time risk. However, instruction-only skills can still perform risky actions at runtime.
Credentials: concernThe skill declares no required environment variables or primary credential, yet its workflow requires deploying to multiple external platforms and modifying local project directories — actions that normally need API keys or service credentials. This mismatch is a red flag: either required credentials are being omitted from the manifest (bad) or the instructions assume the agent will find/use credentials from the environment or filesystem (dangerous).
Persistence & Privilege: notealways is false and there are no declared config paths the skill will modify. However the skill's autonomous behavior (platform default) would let it generate new skills and attempt deployments without prompting if invoked, increasing blast radius. This is especially concerning given the lack of declared deployment credentials and the instruction to write to project directories.