ClawHub
Back to skill
v0.1.2

Mission Claw

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:33 AM.

Analysis

Mission Claw is a coherent activity-logging skill that may persist task metadata through an external local CLI, but the provided artifacts do not show deceptive, destructive, or credential-stealing behavior.

GuidanceBefore installing, verify the Mission Claw npm package and repository. If you use it, treat activity descriptions and details as persistent records, avoid secrets or private data, and make sure the local daemon/dashboard is something you intend to run.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
binaries: [mclaw]
install: npm install -g mission-claw

The skill depends on a globally installed npm CLI that is not included in the reviewed artifact set. This is expected for a CLI-based logging skill, but users must trust the external package.

User impactInstalling the referenced CLI may add third-party code to the host environment.
RecommendationVerify the npm package and repository before installing, and prefer installing it in a controlled environment.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
mclaw log "Task description" ... --total-tokens N

The core workflow asks the agent to run a local CLI command that writes activity records. This is purpose-aligned, but it is still a tool-mediated write action.

User impactThe agent may create local activity records when it considers work significant enough to log.
RecommendationKeep logging scoped to meaningful tasks and avoid allowing routine or sensitive work to be logged without user awareness.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Log significant tasks to the Mission Claw activity feed for tracking agent work, token usage, and project progress.

The activity feed persists task names, project names, token usage, and optional details. This is central to the skill, but those fields may contain sensitive work context if users include it.

User impactTask metadata and descriptions may remain visible later in the local Mission Claw dashboard or activity feed.
RecommendationDo not include secrets, private user data, or sensitive project details in log descriptions; review the dashboard's retention and access controls.