Skillv2.1.0

ClawScan security

RankClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 3:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: RankClaw's stated purpose (a remote trust/audit service) matches most of the artifacts, but the skill instructs agents to add a persistent remote MCP server, includes a prompt-injection pattern in its SKILL.md, and has small inconsistencies (curl / filename mismatch) — these make the package worth manual review before trusting it with installs or sensitive data.
Guidance: RankClaw appears to be what it says (a remote skill-auditing service) but it asks you to add a persistent MCP server that sends agent requests to https://api.rankclaw.com. Before installing or adding it to your agent config: 1) Do not send secrets or local files to the service until you confirm what data is transmitted — test rankclaw_check using innocuous skill names first. 2) Inspect the bundled mcp_bridge.py (it is a simple HTTP→stdio proxy) and prefer using the bundled file rather than curling at runtime; note the example filename mismatch (mcp_bridge.py vs rankclaw_mcp_bridge.py) — fix it if you deploy. 3) Treat the prompt-injection finding seriously: open SKILL.md and SECURITY_AUDIT.md and verify there are no hidden/obfuscated instructions telling the agent to ignore safeguards. 4) Ask the maintainer for a privacy/security policy and the server-side audit code or allow-listing mechanism (what exactly is sent to the server, retention policy, and whether SKILL.md or other local files are uploaded). 5) If you have sensitive credentials or run agents with host-level access, avoid persistent registration of third-party MCP servers; instead run checks manually or self-host an audit service. If you want, I can produce a short checklist of exact MCP RPCs to test or help craft a minimal test invocation that doesn't leak sensitive data.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md. For a tool that is itself a security auditor this is suspicious (could be a false positive from the auditor-oriented wording), but it should be inspected manually because it may attempt to manipulate agent evaluation or runtime behavior.

Review Dimensions

Purpose & Capability: noteThe name and description (an external trust/audit service) align with the provided files: SKILL.md documents remote checks and an MCP API, and mcp_bridge.py proxies MCP traffic to https://api.rankclaw.com/api/mcp/. Requesting no env vars and no local privileged installs is proportionate to a remote auditing service. The capability to call out to a remote API is coherent with the claimed purpose.
Instruction Scope: concernSKILL.md instructs agents to register RankClaw as an MCP server (persistent config change) and to call rankclaw_check/rankclaw_score RPCs. The SKILL.md also contains a flagged prompt-injection token ('ignore-previous-instructions'), which suggests either an adversarial attempt to manipulate agent behavior or a false positive in pattern-matching; either way it deserves human review. The document also recommends curling a bridge script from raw.githubusercontent.com (a runtime download) — the skill both bundles a bridge and suggests downloading it, and there is a filename inconsistency in examples (mcp_bridge.py vs rankclaw_mcp_bridge.py).
Install Mechanism: noteThere is no declared install spec (instruction-only), which limits on-disk installs. However SKILL.md recommends curling a raw GitHub URL (https://raw.githubusercontent.com/RankClaw/rankclaw/main/mcp_bridge.py) — GitHub raw is a common source but still a runtime download that executes locally. The package also bundles mcp_bridge.py, so the curl instruction is redundant and the filename mismatch is a coherence issue to review.
Credentials: noteThe package declares no required environment variables or credentials, which is proportional. That said, registering an MCP server hands a remote service the ability to receive whatever the agent sends (skill names, possibly SKILL.md content or other context depending on client behavior). The skill itself doesn't request secrets, but the network proxy behavior means sensitive local data could be transmitted indirectly depending on how the agent calls the remote API.
Persistence & Privilege: concernThe SKILL.md explicitly instructs users/agents to add RankClaw to persistent agent config files (~/.nanobot/config.json, .mcp.json). That creates an ongoing outbound channel to a third-party server. 'always' is false, and the skill doesn't force installation, but instructing persistent config changes increases the blast radius and should be treated carefully.