Skillv2.0.0

ClawScan security

Unified Reasoning · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 1:52 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's README and wrapper claim a full 'unified reasoning' implementation, but the package is incomplete and its runtime instructions reference missing implementation files and PowerShell scripts — this mismatch is suspicious and should be resolved before use.
Guidance: This package appears incomplete: the wrapper (unified_wrapper.py) and SKILL.md expect a core implementation file (unified_reasoning.py) and a PowerShell script (reasoning-engine.ps1) that are not included. Before installing or enabling this skill: 1) Ask the publisher for the missing files or a complete distribution and verify their contents. 2) Do not run the skill in production or give it high trust until you can inspect unified_reasoning.py and any .ps1 scripts for network calls, credential access, or filesystem reads. 3) If you must test, run it in an isolated sandbox and monitor outbound connections. 4) If the publisher states the implementation is fetched at runtime, insist on the exact source URL and verify that URL is a trusted release host (e.g., official repo release) before allowing the skill to fetch and execute code. If the missing files are provided and they match the described behavior (no unexpected credential access, no remote endpoints), the assessment may change to benign.

Review Dimensions

Purpose & Capability: concernThe skill claims a comprehensive Unified Reasoning Engine (many strategies, FoT optimization) but the bundle does not include the promised implementation (SKILL.md and unified_wrapper.py expect an implementation file such as unified_reasoning.py and a reasoning-engine.ps1). Nothing in the package justifies the advanced capabilities described — the presence of only a wrapper without the core implementation is incoherent.
Instruction Scope: concernSKILL.md instructs running PowerShell commands and dot-sourcing skills/unified-reasoning/reasoning-engine.ps1 and shows integration snippets for an AGI controller, yet the referenced .ps1 and the core Python implementation are not included. The instructions do not ask for unrelated credentials or environment reads, but they depend on external files that are missing, so runtime behavior is unclear.
Install Mechanism: okThere is no install spec and no remote download/install steps — lowest-risk surface. The only code present is a small wrapper (unified_wrapper.py) which uses importlib to load a local file; it does not attempt network installs or extract archives.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. SKILL.md and the wrapper do not reference secrets or unrelated env vars. Requested metadata (agi_component/priority) is unusual but not a credential request.
Persistence & Privilege: notealways is false (normal) and the skill is user-invocable; disable-model-invocation is default false (autonomous invocation allowed) which is platform-normal. The SKILL.md labels the component as an AGI component and 'critical' priority — this is a metadata oddity but does not, by itself, grant extra privileges.