Skillv2.3.1

ClawScan security

skills coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:19 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's claimed purpose (analyzing and optimizing other Skills) matches the code, but it requires and uses an external LLM (Anthropic/Claude) and will execute and modify copies of target-skill files while prompting for an API key — yet the registry metadata does not declare any required credentials or install actions, which is an important mismatch and a privacy/execution risk the user should understand.
Guidance: What to consider before installing or running this skill: - Missing credential disclosure: The code expects an Anthropic/Claude API key (ANTHROPIC_API_KEY / AUTH_TOKEN) and will prompt you for it if not present, but the skill registry lists no required env vars. Only provide an API key if you trust the skill and the operator of the external LLM. Prefer using a scoped/ephemeral key or an account with limited quota. - Data sent to external LLM: The optimizer will send SKILL.md, generated variants, rollout summaries, and other artifacts to the Anthropic/Claude API. Do not run this on skills that contain secrets, private credentials, or sensitive business code unless you are comfortable with that data leaving your environment. - Real execution risk: By default execution/evaluation modes are set to "real" and auto_install_deps is true. The orchestrator may execute scripts and commands from the target-skill copy and install dependencies. Run first in a sandbox/VM/container or set configuration to simulated mode to avoid executing untrusted code. - Audit before use: Inspect orchestrator.py, exec-agent/executor.py and any code that performs subprocess calls or network I/O to confirm what will be executed and where results are sent. Look specifically for subprocess.run/exec, HTTP clients, and uses of ANTHROPIC_BASE_URL (which could point to a non-Anthropic endpoint). - Mitigations: run verify.sh in an isolated environment first, switch evaluation/grpo_execution to simulated, disable auto_install_deps, and review or restrict outbound network access. If you must supply an API key, consider a dedicated, low-privilege key and monitor usage. - When it's reasonable: This skill appears to implement the described optimizer and could be useful for legitimate skill improvement work — but because it will transmit code and execute variants remotely/locally, treat it as high-risk for sensitive targets and follow the audit and sandbox recommendations above.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (analyze/optimize Skills) aligns with the included code: it detects code capabilities, generates tasks, runs rollouts, and produces optimized copies. However the repository and runtime make networked LLM calls (Anthropic/Claude) and perform real command execution on target skills. The registry metadata declares no required environment variables/credentials, but the code expects ANTHROPIC_API_KEY (and optionally ANTHROPIC_AUTH_TOKEN / ANTHROPIC_BASE_URL). This mismatch between claimed requirements and actual needs is a material inconsistency.
Instruction Scope: concernSKILL.md and included scripts instruct the agent to copy the target skill, run generated commands against it (real execution mode by default), auto-install dependencies, run evaluation agents and LLM-based introspection, and send skill content/variants to an Anthropic model. That scope is consistent with optimization but also means the skill will read arbitrary files from the target-skill, run them, and transmit their contents to an external LLM — actions that are outside what the registry metadata advertised and that can expose sensitive code or secrets.
Install Mechanism: noteThere is no formal install spec (instruction-only), but config enables auto_install_deps and the docs recommend pip install anthropic pyyaml. The code includes verify.sh and many Python modules that will be executed locally. Absence of an explicit, auditable install step is moderately risky because the skill will attempt to install/require dependencies at runtime (potentially via pip) and then execute local Python scripts.
Credentials: concernAlthough registry metadata lists no required env vars, multiple files (api_checker.py, optimizer implementations) expect an Anthropic API key / token and allow ANTHROPIC_BASE_URL. Requiring an LLM API key is reasonable for an optimizer that uses Claude, but it should be declared up-front. Also the code will send target SKILL.md, generated variants, and other artifacts to the LLM — so providing an API key effectively allows transmission of local skill contents to an external service. The number and sensitivity of environment accesses are disproportionate to what the registry claimed (none).
Persistence & Privilege: okalways:false and model invocation is permitted (default). The skill follows an immutability rule—it copies the target skill to a -optimized directory and claims not to modify the original. It does not request persistent global privileges or attempt to change other skills' configurations. That behavior is coherent with its stated purpose.