Skillv1.0.0

ClawScan security

Clawditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 12:34 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code generally matches its stated audit purpose, but the implementation contradicts its own 'avoid secret exfiltration' rule (scripts include file snippets and write them to eval/), and there are quality bugs — review carefully and run only on non-sensitive copies.
Guidance: This skill is coherent with its auditing purpose but has a meaningful mismatch between policy and implementation: the scripts capture and save snippets of file contents (logs, memory paragraphs) into eval/*.json and markdown, which can include secrets if present. Before using: 1) Run only on non-sensitive copies or a sandboxed copy of your workspace. 2) Inspect the scripts (log_scan.py and memory_dupes.py) — they include snippets (200/160 chars) and do not redact tokens. 3) Prefer running the helper scripts with their --json flags and review eval/*.json locally before sharing. 4) Consider adding redaction (mask common secret patterns) or excluding sensitive paths (use workspace_inventory --exclude or run_audit from a restricted root). 5) Note the memory_dupes human-output has a bug (undefined variable names) — use --json or fix that printing code if you need non-JSON output. 6) Ensure git is available if you expect git stats; otherwise git_stats will indicate 'Not a git repository'. If you need absolute assurance of no sensitive capture, do not run this against production or credential-containing repositories until the scripts add explicit redaction and stricter path excludes.

Review Dimensions

Purpose & Capability: okName/description (workspace auditor) align with the included scripts: inventory, memory duplicate detection, log scanning, git stats, report validation and an orchestrator. The scripts legitimately need filesystem and git access for the stated audit tasks.
Instruction Scope: concernSKILL.md mandates 'avoid secret exfiltration' and preferring static inspection, but the helper scripts capture and emit file content snippets: log_scan returns matched lines (truncated) and memory_dupes includes text snippets; run_audit collects these JSON outputs under eval/ — so sensitive data from logs/memory could be recorded. The SKILL.md guidance is not enforced or implemented (no redaction). Also some CLI output paths contain bugs (memory_dupes prints using undefined names, which will crash non-JSON output).
Install Mechanism: okInstruction-only with bundled Python scripts; no install spec, no external downloads, and no third-party package pulls. Low install risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The scripts do call git and run Python subprocesses, which is proportional to audit functionality.
Persistence & Privilege: okDoes not request always:true or modify other skills/system-wide config. It writes outputs under eval/ in the scanned workspace (expected for a reporter) and runs only locally; autonomy defaults are unchanged.