Skillv1.0.8

ClawScan security

Canary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 7:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and files are coherent with its stated purpose as a regex-based agent safety / tripwire system and do not request unrelated credentials or install arbitrary external code.
Guidance: This package appears to be what it claims: a local, regex-based safety monitor and tripwire manager. Before installing, consider: (1) it will create and write files in your working directory and under your home (canary.log, .canary_tripwires, any tripwire paths you create) — review and choose safe tripwire locations; (2) it uses regex matching only and can be bypassed by obfuscation/encodings or by an agent that ignores the checks (LIMITATIONS.md documents this); (3) it does not send logs off-host by default (no network calls in provided code), but you should review any modifications if you add alerting hooks; (4) run agents with least privilege (container/limited user) and confirm your agent actually invokes Canary before executing sensitive actions. If you need enforcement beyond advisory checks, add OS-level sandboxing or auditing (auditd, containers).

Review Dimensions

Purpose & Capability: okName/description, SKILL.md examples, and included Python modules (canary.py, canary_tripwire.py, canary_audit.py, config examples) all align: functionality is focused on path/command pattern checks, tripwire honeypots, rate limiting and audit logging. There are no unrelated environment variables, cloud credentials, or external services required that would be disproportionate to the stated purpose.
Instruction Scope: okRuntime instructions are narrowly scoped: call check_path/check_command, create and check tripwires, and run audit scripts. The SKILL.md does direct creation of honeypot files and writing logs/registries under the user's filesystem (config.json, canary.log, .canary_tripwires), which is expected behavior for a tripwire/audit tool and is documented in LIMITATIONS.md.
Install Mechanism: okNo install spec; it's an instruction-only skill bundled with Python source. The code claims to use only Python 3.7+ stdlib and the files provided match that claim (no external package imports). No downloads, package installs, or remote executable fetches are present.
Credentials: okThe skill requests no environment variables or credentials. It does operate on filesystem paths (including sensitive locations when you choose to place tripwires there) and writes local log/registry files; those filesystem actions are proportional to a tripwire/audit tool but worth noting because tripwires deliberately target sensitive locations like ~/.aws/ as part of their purpose.
Persistence & Privilege: noteThe skill persists state and logs to local files (canary.log, .canary_tripwires/registry.json, alerts.log). It does not request elevated OS privileges or try to modify other skills or system-wide agent settings. Note that 'always' is false and the agent must be written to call Canary checks — Canary does not enforce kernel-level sandboxing.