Skillv1.0.0

ClawScan security

tester_skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 11:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (manage GitHub issues via the gh CLI) is plausible, but the SKILL.md and the skill metadata are inconsistent and missing important safeguards (undeclared gh dependency, undeclared GitHub credential use, and autonomous sub-agent spawning) — proceed with caution.
Guidance: Key things to consider before installing: - The SKILL.md requires the gh CLI and a GitHub token (GITHUB_TOKEN), but the skill metadata does not declare these — confirm the author/source and why metadata omits these requirements. - Understand exactly what spawn_subagent does in your agent environment: will sub-agents push commits, open PRs, or run arbitrary code? Ask for explicit limits and review/approval steps. - If you try it, use a least-privilege token (PAT) scoped only to the repositories needed (avoid using a full user token), and prefer a machine/service account rather than your personal account. - Require manual approval or merge protections in GitHub so PRs opened by the skill cannot be merged automatically without human review. - Ask the publisher for source code or provenance (why is there no homepage/source), and request that the skill metadata be corrected to list required binaries and credentials. - If you cannot verify these points, avoid granting it GitHub credentials or enable model-driven autonomous actions until you have tighter controls.

Review Dimensions

Purpose & Capability: concernThe description says it uses the authenticated gh CLI, but the registry metadata lists no required binaries or primary credential. SKILL.md explicitly requires the gh CLI and shows use of a GITHUB_TOKEN. The requested metadata should have declared gh as a required binary and the token as a primary credential or required env var.
Instruction Scope: noteInstructions are focused on GitHub issue/PR operations and spawning sub-agents to implement fixes, which matches the stated purpose. However the SKILL.md provides no constraints or guardrails for spawned sub-agents (what they can access, whether they push commits automatically, review/merge policies), leaving broad, underspecified autonomous behavior.
Install Mechanism: noteThis is an instruction-only skill (no install spec), which is low-risk by itself, but the SKILL.md requires the gh CLI be installed — that dependency is not declared in the registry metadata. The lack of an install spec means nothing will be written by the skill itself, but the runtime dependency mismatch is an inconsistency.
Credentials: concernThe README suggests using GITHUB_REPO and GITHUB_TOKEN (sensitive) and authenticating via gh auth, but the skill declared no required env vars or primary credential. Sensitive tokens are clearly needed for the described actions; the skill should declare and justify them and recommend least-privilege scopes. As-written, the skill may run with whatever gh credentials are present without documenting required scopes or safeguards.
Persistence & Privilege: concernalways:false (good), but the skill instructs agents to spawn sub-agents that can implement fixes and create PRs. With model invocation enabled (default), an agent could autonomously create branches/PRs using available credentials. Combined with the undeclared credential dependency and lack of guardrails, this raises privilege and autonomy concerns.