Skillv0.1.2

ClawScan security

Method Dev Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 11:31 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely implements a local Streamlit app for chromatography method management (coherent with its description), but there are a few inconsistencies and a detected prompt-injection signal that warrant caution before installing or running it.
Guidance: What to check before installing or running this skill: - Inspect SKILL.md and README for hidden characters (unicode control chars). Use a hex viewer or an editor that shows non-printable characters; remove or ask the author about any strange contents. - Confirm which 'AI' features are local rule-based vs. remote LLM calls. The repository's code implements a simple rule engine (utils.suggest_optimization); if you expect external LLM functionality, ask the author whether an API key is required and whether network calls are made. - Do NOT run publish.sh unless you intend to push commits and publish to ClawHub. That script will attempt git commits, git push and clawhub publish and will use your git/clawhub credentials and network access. - Run the code in an isolated environment (virtualenv/container) and review requirements.txt. Start the Streamlit app locally and confirm it only reads/writes to the project data/ directory. - If you will store sensitive or regulated lab data, verify data storage and backup policies and consider encrypting or using an approved LIMS. This tool writes a local SQLite DB and CSV exports by default—ensure that matches your compliance needs. - If you want higher confidence, run the unit tests (tests/test_basic.py) and scan the code for any unexpected network/socket usage. The included code does not show outbound network calls, but thorough vetting is recommended. If you'd like, I can (a) produce a small checklist of exact commands to safely inspect files for non-printable characters, (b) summarize which files perform filesystem or network operations, or (c) generate a short list of questions to ask the author about the advertised 'AI recommendation' paid feature.
Findings: [unicode-control-chars] unexpected: The pre-scan detected unicode control characters in SKILL.md. The app is a local Streamlit app and does not need hidden control characters in docs. Hidden/unexpected characters can be used for prompt-injection or to obscure content; user should inspect SKILL.md and other docs for non-printable characters before trusting or publishing.

Review Dimensions

Purpose & Capability: noteThe code (Streamlit UI, SQLite DB, utilities for chromatographic metrics and simple rule-based suggestions) matches the stated purpose of experiment records, method library, and analysis. Minor mismatch: SKILL.md quick-start shows 'streamlit run app.py' at the repo root while the application is located at src/app.py (README uses src/app.py). The SKILL.md advertises 'AI推荐' (AI recommendations, paid) — the included code implements a simple local rule engine (utils.suggest_optimization) rather than an LLM integration; that's plausible but should be made explicit to avoid expectation of an external AI service.
Instruction Scope: concernSKILL.md runtime instructions are minimal (pip install dependencies and run Streamlit locally) and consistent with a local app. However: (1) the repository includes a publish.sh that will attempt to commit, push to GitHub and call 'clawhub publish' — running that script will use your git/clawhub credentials and network, but SKILL.md doesn't warn about it; (2) the package contains many marketing drafts and a publish workflow which may encourage the user to run network/publishing steps; (3) a pre-scan found 'unicode-control-chars' in SKILL.md, which may indicate hidden control characters (possible prompt-injection attempt embedded in docs). The app code itself does not make outbound network calls or read arbitrary system files beyond writing to a local data directory.
Install Mechanism: okNo install spec is declared (instruction-only), so nothing is automatically downloaded or written during 'installation'. Dependencies are standard Python libs listed in requirements.txt (streamlit, pandas, plotly, numpy, dateutil). This is low-risk compared with an arbitrary network download. The included publish script performs network operations only if explicitly executed.
Credentials: okThe skill does not declare or require any environment variables or credentials. That aligns with the code which stores data in a local SQLite file under a data/ directory. One caveat: publish.sh expects git remote and ClawHub login (credentials), but these are developer convenience scripts and not required for the app to function; the skill does not request unrelated secrets.
Persistence & Privilege: okNo elevated privileges are requested. The skill is not always-enabled. It persists data to a local SQLite DB in the project data/ folder and writes CSV exports under data/exports. That is proportionate to its purpose. There is no code that modifies other skills or system-wide agent settings.