Skillv1.0.5

ClawScan security

Skill Preflight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 26, 2026, 10:57 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code and instructions match its stated purpose: it scans local skill/protocol markdown, embeds text via Ollama's nomic-embed-text model, ranks docs by similarity, and injects relevant docs — but be careful not to point ollamaBaseUrl at a remote host or store secrets in your docs.
Guidance: This plugin is internally consistent and implements what it claims, but review these before enabling: (1) Keep ollamaBaseUrl set to localhost/127.0.0.1/::1 unless you trust the remote host — otherwise your prompts and all indexed docs (including any embedded secrets or API keys in markdown) will be transmitted off-host. (2) Audit your skills/ memory/protocol markdown and remove any secrets or credentials before allowing the plugin to index them, or restrict protocolDirs/skillsDirs to safe paths. (3) Because the repository source is 'unknown' in the metadata provided, review the dist/index.js (full file) yourself or run the plugin in a sandbox to confirm behavior matches expectations. (4) Tune minScore, maxDocLines, and pinnedDocs to reduce accidental injection of large or sensitive docs. (5) If you need higher assurance, run Ollama locally and validate network traffic to ensure embeddings never leave your machine.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, package.json, and dist/index.js all describe and implement the same feature: local scanning of skills/protocols, embedding via nomic-embed-text through an Ollama HTTP API, ranking by cosine similarity, and injecting top matches. There are no unrelated credential or binary requirements.
Instruction Scope: noteInstructions and implementation explicitly read markdown files from configured workspace directories (skills/, memory/protocols/, tools files, pinned docs) and embed both the incoming prompt and full document text. That behavior is expected for the stated purpose, but it means any secrets or credentials embedded in your docs will be read and (depending on configuration) transmitted for embedding.
Install Mechanism: okNo external install script or remote downloads are included in the plugin bundle. The only external runtime dependency is Ollama and the local embedding model (which the SKILL.md instructs you to pull). No arbitrary URL downloads or archive extraction are present in the provided files.
Credentials: okThe plugin declares no required environment variables or credentials and the code doesn't request unrelated secrets. The main configuration risk is the ollamaBaseUrl: if set to a remote host, prompt text and indexed docs (including any secrets in them) will be sent to that host. The code and docs clearly warn about this trust-boundary change.
Persistence & Privilege: okThe skill is not force-enabled (always: false), doesn't request elevated privileges, and appears to only operate within its own configured scope (workspace doc dirs and its session caches). It does not modify other skills' configurations per the provided files.