Skillv1.0.0

ClawScan security

reson8-phason · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 2:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions claim to read and write a ledger, generate tokens, and use a browser localStorage cache to resolve split-brain states, but the package declares no credentials, endpoints, or install requirements and provides no implementation files — the operational requirements are under-specified and potentially mismatched with typical agent runtimes.
Guidance: This skill's prose describes real read/write operations against a ledger and a browser localStorage cache but provides no code, no endpoints, and no credentials — treat it as incomplete and under-specified. Before installing or enabling it: 1) Ask the publisher for source code, an authoritative homepage, and the exact endpoints and auth mechanism (what ledger, what API, what credentials are required). 2) Confirm where the agent is expected to run (browser TUI vs server agent) and whether localStorage operations are meaningful in that runtime. 3) Do not give any ledger or signing credentials to the skill until you can review the implementation that will use them; prefer scoped, auditable service accounts and minimal privileges. 4) If you must test, run in a sandbox with a fake/stub ledger and no production credentials and require explicit manual approval before any real commits. 5) If the publisher cannot provide code or a clear runtime spec, avoid enabling autonomous invocation — treat this skill as unsafe to run automatically.

Review Dimensions

Purpose & Capability: concernThe stated purpose (resolving split-brain / HTTP 408 deadlocks) is plausible for the procedures described, but the instructions assume access to a specific ledger buffer (2026.0003), the ability to atomically commit state, and to write to a temporal localStorage cache. The skill declares no environment variables, credentials, or platform requirements (e.g., browser vs server), so it's unclear how an agent would legitimately obtain the necessary ledger access or browser storage access. The references to ledger commits and ATOM tokens imply privileges/capabilities not declared by the skill metadata.
Instruction Scope: concernSKILL.md explicitly instructs the agent to read both candidate states from a ledger buffer, validate invariants, atomically write the selected state back to the ledger, release HTTP locks, generate an ATOM token, and log to localStorage for replay. Those are side-effecting, high-impact operations. The instructions also reference Python and JavaScript code snippets and files (quasicrystal_phason_scheduler.py, Coherence Forge TUI) that are not included. The doc assumes a browser TUI localStorage context and a separate backend ledger; mixing those contexts without specifying how to access them is ambiguous and grants wide discretion to the agent if executed as-is.
Install Mechanism: okThis is instruction-only (no install spec, no code files). That minimizes supply-chain installation risk, but increases reliance on the agent environment already having the necessary runtime hooks and credentials.
Credentials: concernNo environment variables, credentials, or endpoints are declared, yet the runtime instructions require network/ledger access and a place to persist temporal events (localStorage). The absence of declared credentials (API keys, service URLs, or paths) is disproportionate to the described operations and leaves open the question of how authorization and authentication are to be performed.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and is user-invocable. It does instruct persistent logging into a 'temporal buffer' (localStorage), but that is scoped to the skill's own described storage and not to changing platform-wide settings. No elevated installation or automatic always-on behavior is requested.