Skillv0.3.0

ClawScan security

Skill Forge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 9:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description promises a broad discovery/integration pipeline, but the runtime instructions reference network, filesystem, credentialed services and tools that are not declared in the metadata — this mismatch is concerning and should be reviewed before use.
Guidance: This skill is 'suspicious' because its runtime steps do things (clone repos, run scans, publish to X/ClawHub) that are not reflected in the metadata. Before installing or invoking it: 1) Do not run its pipeline on your primary machine — use an isolated sandbox or VM. 2) Ask the author for a full manifest of required binaries and environment variables (pnpm/node/git/YARA, TWITTER_BEARER_TOKEN, ClawHub credentials, etc.) and why each is needed. 3) Inspect the actual implementation code (the GitHub repo link is provided) — review scripts that the pipeline executes, any auto-publish logic, and what data is uploaded to external services. 4) Limit the credentials you provide to least privilege (e.g., scoped tokens) and prefer time-limited/test accounts. 5) If you must run it, do so with network controls and file-system snapshots so you can undo changes and monitor outbound activity. 6) If the repo or code is not available for review or the author cannot justify the undeclared credentials/tools, avoid granting sensitive tokens or running the pipeline.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a complex pipeline (scanning GitHub/HuggingFace/Reddit/X/ProductHunt, cloning repos, running YARA scans, detecting local runtimes, auto-integrating and publishing skills, and auto-posting to X). The skill metadata, however, declares no required binaries, no environment variables, and no install steps. That is internally inconsistent: the pipeline clearly needs tools (pnpm/node/git/YARA), network access, and credentials for publishing (X/Twitter, ClawHub), none of which are declared.
Instruction Scope: concernThe instructions tell an agent to run a multi-stage pipeline (pnpm pipeline) that will read/write /Volumes/data/openclaw/evolution-engine, clone external repositories, run compatibility and security scans, produce skill.json/SKILL.md and auto-publish (clawhub publish, announce to X). This scope includes broad filesystem access, network crawling, code execution, and external publishing — far beyond a simple information-only skill and not limited by metadata or guardrails in the SKILL.md.
Install Mechanism: noteNo install spec (instruction-only), which lowers direct install risk because nothing is automatically written by the registry. However, the runtime assumes pnpm/node, git, YARA and other tooling are present and will execute pipelines that could fetch and run arbitrary code. The lack of declared required binaries is a mismatch (should list pnpm/node/git/YARA at minimum).
Credentials: concernSKILL.md names dependent skills that require credentials (e.g., x-twitter needs TWITTER_BEARER_TOKEN; social-sentiment needs an Xpoz account) and implies publishing actions (ClawHub, X). Yet the skill metadata lists no required environment variables or primary credential. This discrepancy means the skill will expect secrets/credentials at runtime without declaring them, which is a proportionality and transparency issue.
Persistence & Privilege: notealways is false (normal) and autonomous invocation is allowed (platform default). Autonomous invocation combined with the pipeline's ability to publish externally (post tweets, publish skills) increases potential impact if misconfigured, but autonomy alone is not flagged here. There's no evidence the skill requests permanent system-wide config changes, but it does operate on host filesystem paths and may push content externally.