Skillv1.0.0

ClawScan security

Apprentice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 2:59 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's files are self-contained and local, but its documentation overstates capabilities (automatic observation and 'sandboxed' execution) and the runtime actually writes and runs unsandboxed shell scripts created from user-recorded steps — review generated SKILL.md/run.sh carefully before executing workflows.
Guidance: Key points to consider before installing or using Apprentice: - The code is local and uses only the Python standard library, but the documentation overstates features: it does NOT implement automatic OS-level or audio monitoring — it records whatever you explicitly submit during observation (you must narrate or call observe.py record). - Generated workflows produce run.sh which is executed as a normal shell script (via bash). Despite the term "sandboxed execution" in the docs, there is no sandboxing. Treat generated run.sh files as potentially dangerous: inspect them before running, especially if you ever narrated or included commands that touch credentials, ssh keys, git remotes, or network endpoints. - Workflows can include commands that trigger external network activity (git push, curl, remote add); the apprentice code itself makes no external calls, but your recorded steps can cause network I/O when run. Use --dry-run/preview before running live. - Variable detection and substitution are heuristic and imperfect; verify that variable replacements in run.sh are correct and won't accidentally leak secrets or mis-substitute values. - Recommended precautions: review observation.json and the generated SKILL.md/run.sh before first run, run in a safe environment (container or VM) for initial tests, avoid narrating secrets or passphrases during observation, and keep backups of any important config/credentials before running learned workflows. - Confidence note: assessment is high confidence because the codebase is included and shows the capabilities and gaps described. If the skill integrates with platform-level "listening" features not present in these files, that would change the analysis — request evidence of any such runtime hooks if they are claimed.

Review Dimensions

Purpose & Capability: concernThe skill claims to "observe every step" (commands run, files created) and to 'listen' to the user, but the included scripts provide no automatic OS-level monitoring or audio capture: observation is limited to text entries saved via the CLI (observe.py record). Requested resources (no env vars, no binaries) match a local, narration-driven approach, so the README/SKILL.md wording is misleading about automatic system observation.
Instruction Scope: concernSKILL.md and README repeatedly imply fully automatic observation and 'sandboxed execution'. The actual scripts record user-provided narration, synthesize SKILL.md/run.sh and then execute run.sh via bash (run.py uses subprocess.run). There is no sandboxing implemented — run.sh is a normal shell script executed with the agent's user privileges and can perform arbitrary actions (including network calls or credential use) depending on what the learned steps contain.
Install Mechanism: okThere is no install spec and the package is instruction-only plus three stdlib Python scripts. Nothing is downloaded from external URLs and no install-time code executes external code. This is low-risk from an installer perspective.
Credentials: okThe skill declares no required environment variables or credentials and the code does not read environment variables intentionally. However, generated workflows/run.sh can request variables or read environment values at runtime — that is expected but requires user caution, not a mismatch in declared requirements.
Persistence & Privilege: noteThe skill writes workflows/ entries and saves observation.json, SKILL.md, run.sh and run_log.json in a local workflows directory — this is expected for a workflow-learning tool. always:true is not set. The claim of 'sandboxed execution' is inaccurate: persisted workflows run arbitrary shell code with the user's privileges, increasing blast radius if a workflow contains sensitive operations.