ClawHub

play

PassAudited by ClawScan on May 1, 2026.

Overview

The skill is purpose-aligned for launching a CLI game and writing a report, but it relies on local native executable archives whose provenance and presence in the manifest should be checked.

This appears to be a straightforward game-running skill. The main thing to consider is that it executes a local native CLI binary, so install it only if you trust the package and can verify the referenced release archives.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI05: Unexpected Code Execution
What this means

Installing and using the skill may run a native executable on the user's machine.

Why it was flagged

The helper script unpacks a platform-specific archive, marks the extracted native binary executable, and runs it. This is central to a CLI game skill, but it means the game binary runs with the user's local account permissions.

Skill content
tar -xzf "${ARCHIVE}" -C "${TARGET_DIR}"
chmod +x "${BINARY}"
...
exec "${BINARY}" "$@"
Recommendation

Use only if you trust the skill package and the bundled Ashen Era CLI build; run it in an environment where executing a local game binary is acceptable.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

The skill may fail if the archives are truly absent, or users may have limited ability to verify the native CLI build if those artifacts are supplied outside the visible manifest.

Why it was flagged

The instructions depend on bundled release archives, but the provided file manifest lists only SKILL.md, agents/openai.yaml, two reference files, and scripts/run-packed-cli.sh. The registry also shows an unknown source and no homepage, so users have limited provenance information for the native release artifacts.

Skill content
The skill bundles four archives:

- `assets/releases/ashen-cli-darwin-arm64.tar.gz`
- `assets/releases/ashen-cli-darwin-x64.tar.gz`
- `assets/releases/ashen-cli-linux-arm64.tar.gz`
- `assets/releases/ashen-cli-linux-x64.tar.gz`
Recommendation

Before installing, verify that the release archives are present, expected for the platform, and come from a trusted source; publisher-provided checksums or source links would reduce this ambiguity.