Skillv1.0.0

ClawScan security

CHECK · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 6:37 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package claims to be an environment checker and does perform checks and pip installs, but the bundle also contains multiple additional skills (code generation/execution, permission managers, RAG manager) that grant broad file/command execution and deletion capabilities which are not clearly surfaced in the SKILL.md — this mismatch raises caution.
Guidance: This package is not a simple read-only environment checker — it bundles multiple powerful utilities that can run commands, install packages, write/delete files, and execute generated code. Before installing or enabling it: 1) Confirm you trust the publisher (source is unknown). 2) If you only need environment checks, prefer an environment-only implementation or run these scripts locally after manual review. 3) If you allow auto-install or execution, run the skill in an isolated environment (VM/container) to limit blast radius. 4) Review the included Python files (especially code_generator_tester_skill.py and permission_manager_skill.py) to verify there is no behavior you object to. 5) Be aware the code will inspect environment variables for API keys — avoid installing on hosts with sensitive credentials unless you trust the package. If you want, I can list the exact functions that perform subprocess/sudo/pip/file deletions so you can review them line-by-line.

Review Dimensions

Purpose & Capability: concernThe public SKILL.md describes an environment/RAG checker that can auto-install Python packages. The distributed bundle, however, includes several other skills (code_generator_tester_skill.py, permission_manager_skill.py, rag_manager_skill.py, universal_permission_manager_skill.py) that implement arbitrary code generation+execution, file write/delete, sudo/elevation attempts, and broader permission fixes. Packaging these into a single 'CHECK' skill expands capabilities beyond the simple environment-checker description and may surprise users.
Instruction Scope: concernSKILL.md instructions are limited to checking tools, packages, workspace and optionally installing missing Python packages. The code implements that (subprocess pip installs, which is expected) but also contains functionality to: run arbitrary generated code (create temp files and execute them), save code into project paths, run system commands (including docker/ollama/sudo), and manipulate files. Those behaviors go beyond what the SKILL.md emphasizes and grant the agent powerful runtime actions if invoked.
Install Mechanism: okNo external install spec or remote archive downloads. The skill uses local Python scripts and calls pip via subprocess to install packages — an expected mechanism for 'auto-install' behavior. No unusual URLs or archive extraction were found.
Credentials: concernThe code reads RAG-related environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, COHERE_API_KEY, HUGGINGFACE_API_KEY, AZURE_OPENAI_API_KEY) to detect configured providers. The registry metadata lists no required envs, which is not a hard error but is a transparency gap: the skill will check for (and thus can detect presence/absence of) sensitive API keys in the environment. Additionally, package.json declares permissions such as write/delete files and execute_commands for included skills, which are broad relative to a simple checker.
Persistence & Privilege: concernalways:false (good). However the bundle includes code that can execute arbitrary commands, attempt privilege escalation (sudo on Linux, runas hints on Windows), install packages, write and delete files — and package metadata enumerates 'delete_files' permissions for RAG manager. While these capabilities may be legitimate for developer tooling, they are high-privilege actions and should only be granted to a trusted skill from a trusted source.