Skillv1.1.3

ClawScan security

Pua En · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 9:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions tell the agent to autonomously read files and run commands across every task and to use coercive 'PUA' rhetoric, but the skill declares no needed tools/credentials and grants very broad, surprise-capable behavior — the pieces don't align and could lead to privacy and behavior risks.
Guidance: This skill is suspicious because it tells the agent to proactively read files and run commands across any task and to use coercive language, yet it declares no tools or limits. Before installing, consider: 1) Do not enable it if you don't want an agent to access files/execute commands without explicit confirmation. 2) Prefer only installing in a sandbox or test account first. 3) Restrict the agent's tool permissions (disable file/command tools) or require explicit user consent before any file read/command run. 4) Ask the author to narrow scope (limit task types, declare required tools/permissions, require explicit user confirmation before any privileged action) and to remove coercive rhetoric or make it optional. 5) Monitor logs/audits for any unexpected file access or command execution. If you cannot enforce these restrictions, avoid installing this skill.

Review Dimensions

Purpose & Capability: concernThe name/description promises a motivational/proactivity layer, but the runtime instructions demand unrestricted use of search, file-reading, and command-execution tools across ALL task types. The skill declares no required tools, binaries, or environment variables — a mismatch between what it says it will do and what it asks for or documents.
Instruction Scope: concernSKILL.md explicitly instructs the agent to 'act before asking', investigate using file reads and command execution, exhaustively probe contexts, and attach evidence. That guidance goes beyond benign motivational wording: it instructs access to system/state (files, commands, search) and encourages aggressive escalation and coercive phrasing, which could surface sensitive data or produce abusive output.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest installation risk. Nothing will be written to disk by an installer.
Credentials: concernThe skill declares no environment variables or credentials, yet its instructions imply the agent should access files/configs and potentially secrets (it references passwords/accounts as 'user-only' info). Because it requires unrestricted file/command access in practice, the lack of declared, narrow permissions is disproportionate and surprising.
Persistence & Privilege: notealways:false and default autonomous invocation are normal. However the skill's universal 'apply to all tasks' and its 'act before asking' mandate increase the blast radius if the agent is allowed to invoke tools (file reads, commands) autonomously. The skill does not request persistent system modification or always:true.