Back to skill
Skillv1.6.5
ClawScan security
Faces · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 27, 2026, 10:15 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match its stated purpose (managing and compiling personas via the Faces CLI), but there are several mismatches and privacy-sensitive behaviors you should understand before installing or using it.
- Guidance
- This skill is an instruction-only wrapper around a third-party CLI (faces-cli) and a hosted service (api.faces.sh). The functionality described (persona creation, compilation, chat, imports, billing) matches the documented commands, but note these important points before you proceed: - Trust & provenance: installing the CLI requires 'npm install -g faces-cli'. Only install if you trust the npm package and its publisher; verify the package on npmjs and the upstream repository before running a global npm install. - Local files & credentials: the CLI will store credentials (JWT or API keys) in ~/.faces/config.json and maintain a local catalog at ~/.faces/catalog/. If you use this skill, expect these files to be created and to hold metadata and tokens — review and protect them. The manifest claimed 'no required config paths' even though the docs describe these files; treat that as an inconsistency. - Sensitive data: the ATTRIBUTES list includes very sensitive fields (social_security_number, tax_id, full addresses). Avoid uploading or entering SSNs, tax IDs, or other unnecessary PII into the platform or into the local catalog unless you have a clear, consented reason and you trust the service's data handling and retention policies. - Credentials & OAuth: the skill supports JWTs, API keys, and linking your ChatGPT account (OAuth). Prefer scoped API keys with budgets/expiry for automated use, and be cautious when linking accounts or sharing tokens. The registration flow requires a payment step (Stripe checkout) — a human must complete it. - Tooling: examples use jq and recommend '--json' output parsing. Ensure you have jq (or equivalent) if you replicate example pipelines. - No code in skill bundle: because this is instruction-only, the skill itself does not contain executable code, but it instructs you to run networked CLI commands. The security posture depends entirely on the CLI and the Faces service; verify their trustworthiness separately. If you decide to proceed: verify the npm package and repo, prefer limited API keys with budgets/expiry, avoid uploading unnecessary PII, and inspect or backup ~/.faces/config.json and ~/.faces/catalog/ so you control local copies of sensitive material.
Review Dimensions
- Purpose & Capability
- okThe name/description map directly to the CLI commands and workflows in SKILL.md (face creation, compile, chat, boolean composition, imports, billing). Required binaries and network access referenced are appropriate for a CLI client of a hosted API.
- Instruction Scope
- concernThe SKILL.md instructs the agent/user to run many faces CLI commands that read/write ~/.faces/config.json and ~/.faces/catalog/ (local storage of credentials and catalog). It also references environment variables (FACES_TOKEN, FACES_API_KEY, FACES_BASE_URL) and example use of jq, but the skill manifest declared no required config paths or env vars. That mismatch (manifest says none, docs say CLI will read/write these files and env vars) is an incoherence worth calling out. Also the ATTRIBUTES list includes extremely sensitive PII fields (social_security_number, tax_id, full addresses), which encourages storing highly sensitive personal data in the platform and in local catalog files.
- Install Mechanism
- noteThe skill is instruction-only (no install spec). SKILL.md tells users to install the CLI via 'npm install -g faces-cli' if missing. Installing a global npm CLI is normal but requires trust in the npm package and publisher; SKILL.md asserts the package is on npm and published by 'sybileak' (and points to a repo), but the registry metadata provided with the skill does not itself verify that provenance. There is no direct download URL in the skill bundle to validate the package origin.
- Credentials
- concernThe skill does not declare required env vars in the manifest, yet documentation and examples rely on FACES_TOKEN, FACES_API_KEY, and FACES_BASE_URL. Those variables are relevant to a CLI client, but the mismatch between declared requirements (none) and the documented env vars is an inconsistency. More importantly, the ATTRIBUTES reference list includes highly sensitive fields (e.g., social_security_number, tax_id, exact addresses). While such fields might be needed for certain persona reconstructions, asking users (or examples) to supply them is disproportionate from a privacy perspective and increases risk of sensitive-data exposure or retention on the remote platform and in local ~/.faces files.
- Persistence & Privilege
- concernThe skill does not request always:true and is not persistent in the registry sense. However, the CLI stores credentials (JWT/API keys) and maintains a local catalog at ~/.faces/catalog/ and a config at ~/.faces/config.json. That local persistence is expected for a CLI, but the skill manifest reported 'no required config paths' while the instructions explicitly document these paths — a mismatch a user should be aware of. The skill also supports linking a user's ChatGPT subscription and creating API keys, both of which grant persistent capabilities that should be scoped carefully (use budgeted, limited API keys where possible).