Skillv1.1.0

ClawScan security

Agent Token Sentinel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 2:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to monitor token usage and kill runaway agent loops, but it's instruction-only with no code, no declared permissions, and no concrete runtime instructions — the claimed capabilities don't match the actual footprint.
Guidance: This skill reads like a placeholder or marketing stub rather than a working guardian: it promises automatic token/loop control but provides no code, no required credentials, and no concrete runtime instructions. Before installing or relying on it, ask the author for: (1) the implementation (source code) showing how it reads usage metrics and terminates loops, (2) a list of exact permissions or environment variables it needs, and (3) what endpoints it contacts to send alerts. Because it currently lacks transparency, do not treat it as a reliable security control — prefer tools with auditable code, explicit permission requests, and clear install steps. If you must test it, run it in an isolated environment and monitor what the agent actually does (network calls, process control) rather than trusting the description.

Review Dimensions

Purpose & Capability: concernThe README claims real-time monitoring, loop-killing, quota enforcement and notifications, yet the package declares no binaries, no credentials, no config paths, and contains no code — there is no clear mechanism by which it could perform those actions.
Instruction Scope: concernSKILL.md is high-level marketing text and a single CLI usage example; it provides no runtime instructions for how to observe API usage, kill processes, or send alerts. That vagueness grants broad, undefined discretion to the agent and is scope-creep (it claims powerful runtime actions but doesn't specify the safe, limited steps to do them).
Install Mechanism: okNo install spec and no code files are present, which minimizes direct on-disk risk. However, absence of an install mechanism also means the skill can't transparently add the plumbing necessary to perform the claimed monitoring.
Credentials: concernNo environment variables, credentials, or config paths are requested — yet the functionality would normally require access to agent API keys, usage meters, or process control permissions. This mismatch suggests the skill is incomplete or intentionally vague about required privileges.
Persistence & Privilege: notealways is false (normal) and the skill is user-invocable. It does not declare persistent system modifications, but because its claimed behavior would require elevated access (to agent runtime or tokens), lack of declared privileges is notable. There is currently no evidence it can actually act autonomously on system processes.