Skillv0.1.0

ClawScan security

Skill Evolver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 3:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and tooling are coherent with its stated purpose (skill discovery, inspection, audit, orchestration, and optional fusion); nothing requested is disproportionate, though the audit flow includes detection of destructive patterns and an explicit removal suggestion that you should review before allowing automated execution.
Guidance: This skill appears internally consistent and implements a reasonable workflow for discovering, inspecting, auditing, and fusing skills. Before installing or allowing autonomous runs, consider: 1) Review the three bundled scripts (audit_skill.py, verify_skill.py, search_skills.py) to ensure they meet your expectations; they read your local skill directories (e.g., ~/.claude/skills) and generate reports. 2) Do not allow automated execution to run the shell removal snippet or any destructive command without an explicit human confirmation — the audit report includes an rm -rf suggestion that could be executed if you or an agent runs it. 3) If you enable registry interactions, be aware the docs recommend running global installs (npm i -g clawhub) or npx commands; prefer running those manually under a controlled environment. 4) If you plan to use fusion/materialization, review the 'skill-creator' tool or process that will produce new code and audit it before installing. If you want higher assurance, run the scripts in a sandbox or non-production environment first.
Findings: [HIGH_RISK_PATTERN_rm_-rf] expected: The audit script intentionally searches for destructive command patterns like 'rm -rf'. Finding these literals in the audit script is expected because the script flags them in candidate skills. [HIGH_RISK_PATTERN_curl_pipe_bash] expected: The audit script includes patterns to detect remote code execution patterns (e.g., 'curl ... | bash'). Presence of this detection pattern is expected for a security auditor. [HIGH_RISK_PATTERN_cat_private_keys] expected: The auditor scans for credential-access patterns (e.g., reading .pem/.key/id_rsa). This is expected for the script's purpose.

Review Dimensions

Purpose & Capability: okName and description match the included files and runtime instructions: the repo contains search, verify, and audit scripts and many templates describing search/inspection/fusion/orchestration; these are exactly what a 'skill lifecycle manager' would need.
Instruction Scope: noteSKILL.md instructs the agent to create an output directory, run intent analysis, search local and remote registries, verify installation, run security audits, and optionally invoke a skill-creator. The scripts read local skill directories (e.g., ~/.claude/skills and ./skills), inspect SKILL.md content, and produce audit reports. This is within scope, but the audit workflow produces explicit removal instructions (a rm -rf command snippet) when a high-risk pattern is found — allowlist/confirm any destructive actions before permitting autonomous execution.
Install Mechanism: okNo install spec; this is an instruction-only skill with bundled utility scripts. No remote downloads or extract/install steps are present in the repository files. External CLIs (npx skills, clawhub) are optional prerequisites referenced in docs; those are standard for registry interactions.
Credentials: okThe skill declares no required environment variables or credentials. The scripts operate on local skill directories and templates; they do not request secrets or unrelated credentials. References to external CLIs are optional and reasonable for registry searches.
Persistence & Privilege: okalways is false and the skill does not claim permanent elevated privileges or attempt to modify other skills' configs. The workflow can invoke destructive actions (deleting a skill directory) but the repo only suggests rm -rf in an audit report rather than performing deletion itself — still, human confirmation is advisable before executing such actions.