Skillv1.0.1

ClawScan security

Skill Security Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 9:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill honestly implements a lightweight scanner, but its claims (full security scanning and trust scoring) are disproportionate to what it actually inspects—it's largely limited to searching SKILL.md and metadata and can miss malicious code in other files or hidden downloads.
Guidance: This skill is a useful, low-risk helper but be cautious: the automated script only inspects SKILL.md and metadata (it greps for network calls, env names, and markdown headings). It will miss malicious code in other files, hidden downloads, compiled binaries, or obfuscated scripts. Treat its trust score as a quick heuristic, not a definitive verdict. Before relying on it: (1) manually review code files (scripts, binaries, build/install steps), (2) run more comprehensive static-analysis tools across the whole skill directory, (3) sandbox test unknown skills (limited privileges/VM/container), and (4) avoid automatically sharing scan results to other services unless you trust those integrations. If the author/packaging is unfamiliar, prefer manual code review in addition to this scanner.

Review Dimensions

Purpose & Capability: noteThe name and description match the contained files: a scanner that inspects skills. However the shipped scanner is very lightweight and only greps SKILL.md and metadata; it does not actually scan code files, binaries, or perform dynamic analysis despite implying a full-skill audit and trust scoring. Asking no credentials and no special binaries is coherent for this purpose.
Instruction Scope: concernSKILL.md describes scanning strategies (network calls, credential reads, obfuscation) and example patterns, but the runnable script (scripts/scan-skill.sh) only searches the skill's SKILL.md for a handful of regexes and metadata lines. The documentation suggests examining full source and integrating with memory/other skills, but the automated checks do not analyze code files, dependencies, or runtime behavior — creating a risk of false negatives (malicious behavior hidden in other files) and false confidence.
Install Mechanism: okNo install spec and no external downloads; the repository is instruction-only with a small local shell script. This is low risk from an install perspective because nothing will be written or executed automatically on install. Running the included script executes only local greps and echoes.
Credentials: okThe skill requests no environment variables or credentials and does not attempt to read system files in the provided script. SKILL.md warns about sensitive files (e.g., ~/.aws/credentials) but only as examples of red flags. A small note: the docs recommend storing trust scores in 'memory' or reporting findings to other skills — that implies potential storage/sharing of scan results, but this is a user-level integration choice, not an automatic credential request.
Persistence & Privilege: notealways:false and normal model invocation settings are used. The SKILL.md suggests integrating with agent memory and other skills which could persist or share findings; that's not inherently malicious but users should be aware that trust scores and scan results might be stored or broadcast if they enable such integrations.