Skillv1.0.3

ClawScan security

bug-fixing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 6:47 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested actions (searching code, running tests, editing files, clearing caches, restarting services) match its stated bug-fixing purpose, but it will exercise powerful local capabilities that can touch sensitive files (e.g., .env) and run arbitrary commands — review permissions and sensitive files before use.
Guidance: This skill appears to do what it says: search the codebase, run tests/linters, clear caches, restart services, and update project docs. Those actions require filesystem access and the ability to run commands. Before enabling: 1) Ensure the agent runs with limited privileges or in an isolated/test environment (so restarts and deletes don't affect production). 2) Remove or vault any secrets from project .env* files you do not want inspected, because the workflow explicitly recommends checking all env files. 3) Require explicit user approval before the agent executes destructive commands (delete files, restart services, run arbitrary shell commands). 4) Review any file edits the agent proposes before committing. If you need stricter controls, run the workflow manually or in CI where you can audit every command.

Review Dimensions

Purpose & Capability: okName/description (zero-regression bug-fix workflow) matches the instructions and reference docs: searching code, reproducing bugs, running tests, performing RCA, minimal fixes, and updating knowledge files. The declared lack of required env vars/binaries and absence of install steps is consistent with an instruction-only, repo-scoped troubleshooting workflow.
Instruction Scope: noteSKILL.md and reference files explicitly direct the agent to read/write project files, run linters/tests (pytest, mypy, npm, ruff), run searches (rg), delete caches (find .pyc, __pycache__), restart processes, gather runtime evidence (screenshots/DevTools traces), and update knowledge/bug-records. These actions are appropriate for bug fixing, but they give the agent broad file-system and execution scope within the project and may touch environment/config files (e.g., .env*) which can contain secrets. The instructions do not direct network exfiltration, but they do permit arbitrary command execution via the 'execute' tool.
Install Mechanism: okNo install spec and no code files — instruction-only. This is lowest-risk from an install/download perspective; nothing will be written to disk by an installer beyond what the agent itself does at runtime when following instructions.
Credentials: noteThe skill declares no required environment variables or credentials (proportional). However the reference docs and workflow require scanning and possibly reading multiple .env* files and other config files when diagnosing configuration bugs. Access to those files is relevant to the task but can expose secrets; the skill does not request remote credentials or unrelated secrets.
Persistence & Privilege: okalways:false and normal model invocation are used. The skill does not ask for permanent presence or modify other skills' configs. It does instruct operations that modify local state (writing knowledge files, deleting caches, restarting services), which is appropriate for a bug-fix workflow but should be permitted consciously by the user.