Skillv1.0.2

ClawScan security

SafeHub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (scans skills) but a few design choices are surprising or risky — notably the ability to overwrite its rule set from any GitHub repo, a sandbox that doesn't actually observe runtime behavior, and persistent cached reports in the user's home directory.
Guidance: SafeHub's implementation is coherent with its stated purpose, but pay attention to these practical risks before installing or running it: (1) The 'update' command will fetch and overwrite the scanner's rule files from whatever GitHub repo you point it at — only use a rules repo you trust, and avoid running update against unknown forks. (2) The Docker sandbox runs the target read-only with no network, but the code does not actually instrument or report detailed runtime behavior (networkAttempted and sensitiveReads are not detected), so do not rely solely on the sandbox to prove safety. (3) Cached reports are stored in ~/.safehub and a Docker named volume may be created; review/delete these if they contain sensitive metadata. (4) Because the tool executes git clone on GitHub URLs and starts containers via the Docker daemon, run SafeHub in an isolated environment (or inspect the code locally) if you are scanning untrusted repos. If you plan to rely on SafeHub's results, review scanner/static.js and scanner/scorer.js to understand exactly what patterns are detected and how the trust score is computed.

Review Dimensions

Purpose & Capability: okName/description match the implementation: it runs Semgrep-based static analysis and an optional Docker sandbox. Required binaries (node, semgrep, git) are proportional to the declared purpose. Dependencies (commander, dockerode) are reasonable for a CLI that can control Docker.
Instruction Scope: concernSKILL.md and code keep scope mostly limited to scanning. However: (1) the sandbox implementation simply runs the target in a container but does not instrument or capture network attempts/sensitive reads (sandboxResult fields are always empty unless an error occurs), so the claimed behavioral observation is misleading; (2) the updater will fetch and overwrite local rule files from any GitHub repo specified via SAFEHUB_RULES_REPO — this gives an external source control over the scanner's detection logic and must be treated as a privileged operation; (3) cached reports are written to ~/.safehub (may contain metadata about findings). All env vars that code reads are documented in SKILL.md.
Install Mechanism: noteNo install spec is declared (installation is expected via ClawHub or npm), so nothing arbitrary is downloaded during install. The only runtime network downloads are GitHub API/raw requests in the update command which use well-known GitHub endpoints. No URL shorteners or personal servers are used. The code bundle contains source files, so auditable locally.
Credentials: concernNo secret credentials are requested. Optional environment variables are reasonable (rules repo, branch, data dir, sandbox image, timeout). The main concern: SAFEHUB_RULES_REPO lets a user point the updater at any repo; if an attacker (or the user unknowingly) points this at a malicious fork, SafeHub will overwrite its local rule set with those files — potentially suppressing warnings or producing false-safe results. SAFEHUB_DATA_DIR defaults to ~/.safehub and stores cached reports; that persistent storage should be considered when scanning sensitive code.
Persistence & Privilege: notealways is false and the skill does not request platform-wide privileges. It creates/uses a persistent cache directory (~/.safehub) and may create a Docker named volume 'safehub_tmp', which can persist between runs. It does not modify other skills' configs. The ability to overwrite ./rules in the skill directory via update is a form of self-modification (documented) and is privileged for the scanner's behavior.