Skillv1.0.0

ClawScan security

Task Dispatcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 2:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's dispatcher purpose and agent/config mappings are coherent, but included YAML config files contain potentially destructive/automatic cleanup rules, hard-coded user paths, and some configuration/behavioral inconsistencies (confirmation vs auto-clean) that warrant caution before installing or running.
Guidance: Before installing or enabling this skill: 1) Confirm whether your runtime provides a 'subagents' tool and what that tool is allowed to do. 2) Ask the author to clarify/patch cleanup.yaml: set require_confirmation:true, disable cleanup_on_start, and remove any rules that delete arbitrary host files. 3) Remove or parameterize hard-coded absolute paths (e.g., /Users/xiaotiac/...) to avoid accidental access to user directories. 4) Verify that the skill will not read or act on host filesystem paths, environment variables, or webhooks unless you explicitly configure them; if Slack/email/webhook placeholders are used, ensure no secrets are auto-read. 5) Test the skill in a restricted sandbox or non-production account with monitoring/logging enabled to observe behavior (especially any file system or network actions). 6) If you plan to allow autonomous runs, require explicit confirmation for HIGH/CRITICAL actions and audit logs for any auto-abort/auto-delete actions. These checks will reduce the risk that the dispatcher executes destructive cleanup or accesses unintended files.

Review Dimensions

Purpose & Capability: okName/description (task dispatching, subagent orchestration) align with the provided assets: SKILL.md plus multiple pipeline/agent/budget/review configs. The declared requirements (no binaries, no env vars) are plausible for an instruction-only orchestration skill.
Instruction Scope: concernSKILL.md instructs the agent to analyze, split, show the plan to the user, then call a 'subagents' tool to spawn/list agents. However, the included configs (cleanup.yaml, budget/deadloop protection, pipelines) imply automatic cleanup and file-deletion behavior (cleanup_on_start: true, cleanup_on_complete: true, cleanup_rules with action: delete, and require_confirmation: false). That conflicts with the SKILL.md's repeated requirement to present the task plan and wait for user confirmation and creates a risk that the skill could cause deletions or other system actions without explicit, user-visible prompts. Configs also reference local filesystem paths (e.g., /Users/xiaotiac/...) and patterns that could cause scanning/deletion of host files if executed.
Install Mechanism: okInstruction-only skill with no install spec and no code files; lowest install risk. There is no download/execute/install mechanism included in the package.
Credentials: noteThe package declares no required environment variables or credentials, which is reasonable. But some configuration files reference external endpoints/values (e.g., ${SLACK_WEBHOOK_URL} in review.yaml) and include role/emergency settings that assume admin privileges. There are also hard-coded user-specific paths and patterns in cleanup.yaml and whitelist/blacklist that are unrelated to the high-level purpose and could lead to unexpected host-file access if the orchestration were to act on them.
Persistence & Privilege: notealways:false (no forced always-on). The skill intends to be a central coordinator ('唯一入口') and can be invoked autonomously (platform default), which is expected for a dispatcher; combined with the config files that permit automatic cleanup/deletions, autonomous invocation would increase potential impact. The skill does not request to modify other skills or system-wide settings in the package itself.