Skillv1.1.0

ClawScan security

Skill Sandbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 1:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (a sandbox for testing skills) generally matches the included code, but the SKILL.md overstates what the tool can safely observe and the default 'observe' mode can expose real credentials — the monitoring implementation appears partial and potentially misleading.
Guidance: This tool mostly does what it says (it checks Python skill code and emits a report), but be cautious: 1) 'observe' mode runs the skill with your real environment and no restrictions — that can let a malicious skill read or exfiltrate secrets; prefer using --fake-env or the 'restricted' mode. 2) The script's monitoring is limited: running the skill as a subprocess means the monitor cannot always see every env read or low-level socket operation, and the tool itself warns it is not an OS-level sandbox. 3) Do not rely solely on the sandbox verdict — inspect the generated JSON report and the skill's source yourself, and consider running untrusted skills inside a real container/VM (Docker) or isolated machine for high-risk cases. 4) If you need stronger guarantees (preventing native code, ctypes, exec/fork, raw sockets, or kernel-level side-channels), use Docker/VM-based isolation rather than this Python-based sandbox.

Review Dimensions

Purpose & Capability: noteName/description match what the package contains: a Python script for running and analyzing other Python skill code. Requiring python3 and referencing skill directories in the user's home is consistent with a tool that runs and inspects skill code.
Instruction Scope: concernSKILL.md claims comprehensive monitoring of filesystem, env reads, network and subprocesses. The implementation mixes subprocess isolation and in-process monitoring primitives; when it runs the skill as a separate subprocess (its stated default safe approach) it cannot directly observe which environment keys the child process reads unless additional instrumentation is injected into the child. The code also logs the injection of fake credentials as warnings immediately (monitor.warn on injection), which could be misleading because injection ≠ access. The default 'observe' mode runs the skill with no restrictions and could allow real secrets or network exfiltration — this conflicts with the 'safe' implication in the description.
Install Mechanism: okNo install spec; instruction-only plus a Python script. This is low-risk from an installation standpoint (nothing downloaded or auto-installed).
Credentials: concernThe skill requests no external credentials and only requires python3, which is proportional. However, because SKILL.md's default observe mode runs a skill with the host environment and the tool logs environment variable access only under certain modes, a user following the docs could inadvertently expose real credentials or files. The script injects a fixed set of 'fake' keys (OpenAI, Anthropic, GitHub, AWS, etc.) which is sensible for testing, but injection is logged as a warning immediately regardless of whether the child actually reads them, creating potential false positives or misleading traces.
Persistence & Privilege: okNo always:true or other elevated persistence requested. The skill is user-invocable and not force-included. Normal autonomous invocation is allowed by platform defaults but is not a new concern here.