Skillv1.0.0

ClawScan security

Tonic System Deploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 5:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill reads like a deployment runbook (benign intent) but the instructions refer to automated actions and external integrations (Telegram, deploy/merge steps) without declaring required credentials, endpoints, or tooling — that mismatch is concerning.
Guidance: This appears to be a deployment playbook rather than executable automation, but it mentions sending Telegram notifications and performing deploy/merge operations without listing any required credentials, endpoints, or tools. Before installing or enabling this skill for autonomous use: 1) Confirm whether it is intended as a human-facing checklist only — if so, treat it as documentation and keep autonomous invocation disabled. 2) If you plan to let the agent perform deploys or send Telegram messages, require explicit, minimal credentials (scoped CI/CD service token, Telegram bot token + chat id, deploy keys) and restrict them to least privilege. 3) Ask the publisher for concrete integration details (what CI/CD, how deploys are executed, where 'records' are stored, rollback commands). 4) Avoid pasting high-privilege secrets into the agent without reviewing and limiting their scope; prefer manual gates for PROD actions. If you cannot obtain those clarifications, do not grant this skill network or credential access and use it only as a manual runbook.

Review Dimensions

Purpose & Capability: concernThe name and description claim a deployment workflow for UAT/PROD with automation and Telegram notifications. However, the skill declares no required binaries, no environment variables, and no install steps. For a workflow that claims to perform automated deploys and send Telegram messages, we'd expect declared integration credentials (e.g., CI/CD API tokens, SSH keys, Telegram bot token/chat id) and/or required tooling. The absence of those required artifacts is an incoherence: either the skill is only a human-facing playbook (OK) or it intends to execute actions but fails to declare necessary capabilities/credentials.
Instruction Scope: concernSKILL.md instructs an agent to 'AI analyses root cause + records fix plan', 'Deploys fix to UAT/PROD', and 'Telegram: "Fix deployed to UAT"' — i.e., networked actions and side effects. The instructions are vague about how/where to run deploys, where plans are recorded, and which Telegram endpoints to use. They grant broad discretion to an agent (e.g., 'AI analyses root cause') without bounded constraints, and they reference sending data externally but provide no destination or authorization details.
Install Mechanism: okThere is no install spec and no code files; the skill is instruction-only. This is the lowest install risk because nothing is written to disk by the skill itself.
Credentials: concernThe instructions imply need for secrets (CI/CD credentials, deploy keys, Telegram bot token, possibly cloud provider credentials) but the skill declares none. That mismatch is disproportionate: the documented behavior would normally require multiple secrets and scoped access, yet none are requested or documented.
Persistence & Privilege: okThe skill does not request 'always: true' and has no install-time persistence. Model invocation is allowed (platform default) but there is no evidence the skill modifies other skills or system-wide settings. This dimension is not a concern by itself.