Skillv0.1.1

ClawScan security

Skill Safety Verifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 5:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what its description says (scanning skills, GitHub Advisory checks, pattern detection), but there are security-inconsistent choices and minor mismatches that warrant caution before installing or running it.
Guidance: This tool appears to implement the vetting functions it advertises, but do not run it on sensitive networks or with privileged access until you address the TLS issue. Ask the author why SSL verification is disabled (and prefer a version that keeps certificate verification enabled). Before installing or using: 1) Inspect analyzer.py (the fetch_advisories code) and patch it to enable certificate verification (remove CERT_NONE). 2) Run the analyzer in an isolated environment/container with limited network access. 3) Consider providing a GitHub token for authenticated advisory queries. 4) Review any output the analyzer produces (it writes a cache to ~/.cache/skill-safety/). If you are not comfortable editing code, avoid installing or only run on isolated test hosts.
Findings: [ssl_disable_verification] unexpected: analyzer.py creates an SSL context with ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE when fetching advisories, which disables certificate verification and is inconsistent with a security tool's intent. [external_api_call_github_advisories] expected: The code queries https://api.github.com/advisories for vulnerability data — this is expected for a vulnerability-checking tool. The use should be done with proper TLS verification and optional authenticated requests for higher rate limits. [dangerous_pattern_strings] expected: The code contains regex lists for exec/eval/subprocess/os.environ/http patterns because the analyzer scans target skills for these dangerous constructs — this is expected. [console_script_entrypoint] expected: setup.py defines a console script entry point (skill-safety-check=analyzer:main), which is normal for a CLI tool and matches README usage examples. [requirements_mismatch] unexpected: requirements.txt includes 'requests>=2.28.0' but analyzer.py uses urllib.request for advisory fetching; requests may still be used elsewhere or intended for optional features — minor inconsistency.

Review Dimensions

Purpose & Capability: okName/description align with the code and files: analyzer.py implements code-pattern scanning, dependency vulnerability checks against GitHub Advisory API, permission analysis and a risk scoring renderer. The presence of setup.py, CLI entry point, and documentation is consistent with a local analysis tool.
Instruction Scope: concernSKILL.md/README describe cloning a target skill and scanning its files and dependencies, which matches analyzer.py's scanning behavior. However there is a notable contradiction: README claims SSL verification is used by default, while analyzer.py explicitly disables SSL certificate verification (ssl.CERT_NONE) when calling the GitHub Advisory API. That weakens the security guarantees of a tool whose purpose is vetting security.
Install Mechanism: noteRegistry has no install spec, but the package includes setup.py and instructions to pip install or wget individual files. The install approach uses standard pip/setuptools and a small requirements.txt (requests). No high-risk download-from-unknown-host patterns are present in the manifest; however README suggests direct wget from raw.githubusercontent.com which is common but should be used carefully.
Credentials: okThe skill declares no required environment variables or elevated credentials. It writes cache to ~/.cache/skill-safety/ (expected for advisories cache). The tool scans repository files (including SKILL.md, package.json) which is necessary for its purpose and does not request unrelated secrets.
Persistence & Privilege: okNo always:true, no special OS-level privileges requested. Installing via pip would create a console script and a cache directory — standard for a CLI tool. It does not attempt to modify other skills' configs or request permanent platform privileges.