Skillv1.0.0

ClawScan security

coding-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 11:34 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions are coherent with a 'coding agent' purpose, but it omits and encourages risky operational details (bypass flags, host/elevated execution, background/PTY sessions) and does not declare the CLIs/credentials it expects — this mismatch is likely to surprise or expose users if installed without caution.
Guidance: This skill plausibly does what it says, but it omits and actively encourages risky operational choices. Before installing: (1) confirm on your system that the required CLIs (codex, claude, opencode, git, gh, etc.) are present and understand which credentials they use; (2) do not use sandbox-bypass flags (--yolo, bypassPermissions) or 'elevated' host mode unless you fully trust the remote agent and understand the consequences — these options allow arbitrary commands to run on your host and can access local files/credentials; (3) run any spawned agents only in disposable temporary directories or isolated environments (containers or VMs) and avoid running inside the OpenClaw workspace; (4) be prepared to monitor and kill background sessions and to rotate any tokens or secrets that might be exposed; (5) consider asking the skill author to explicitly declare required binaries and any credential needs before installing so you can make an informed decision.

Review Dimensions

Purpose & Capability: noteThe written instructions match the described purpose (delegating coding work to Codex/Claude/Pi/OpenCode via CLI invocations and background sessions). However the skill declares no required binaries, env vars, or install steps while the instructions repeatedly assume presence of multiple CLIs (codex, claude, opencode, gh, git) and a configured environment — that omission is an incoherence the user should be aware of.
Instruction Scope: concernThe SKILL.md explicitly instructs using flags that bypass sandboxing and approvals (e.g., --permission-mode bypassPermissions, --yolo / 'no sandbox, no approvals'), running interactive PTYs, background sessions, and an 'elevated' host mode. Those instructions go beyond benign automation and materially increase risk (arbitrary commands, potential file/system modification, exfiltration) — they are within the skill's stated purpose but are high-risk operational choices that should be explicitly declared and constrained.
Install Mechanism: okThis is an instruction-only skill with no install spec or downloaded code. That lowers installation risk (nothing new is written to disk by the skill itself).
Credentials: concernThe skill lists no required environment variables or primary credential, but the instructions implicitly require authenticated CLIs (e.g., 'gh pr checkout', 'gh pr comment', git clone, and agent CLIs). It therefore expects existing credentials/configuration (GitHub auth, agent CLI auth) without declaring them — an important mismatch. The ability to run agents with bypassed permissions could access tokens and files available to the process, so the lack of declared env/credential requirements is concerning.
Persistence & Privilege: noteThe skill does not request permanent/always-on inclusion and leaves autonomous invocation at the platform default. However, the instructions promote long-running background sessions and an 'elevated' option that, if used, would allow host-level execution; combined with sandbox-bypass flags this increases potential blast radius. The metadata itself does not request elevated privileges, but the operational guidance encourages using them.