Back to skill
Skillv1.0.1
ClawScan security
WSL-PowerShell Controller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it claims — it provides shell instructions and a small helper script to invoke Windows PowerShell from WSL — and its requirements and behavior are internally consistent.
- Guidance
- This skill is coherent and implements exactly what it claims: a helper to run Windows PowerShell from WSL. Before installing, confirm you actually run under WSL and trust the Windows host, because the skill (and automated agents using it) can execute arbitrary PowerShell commands on your Windows system. Review psctl.sh if you have strict security needs, avoid running it with elevated privileges unless necessary, and don't grant autonomous agents permission to run skills that execute host commands unless you trust the agent and its prompts.
Review Dimensions
- Purpose & Capability
- okName/description match the included materials: SKILL.md, README, and psctl.sh all describe invoking Windows PowerShell from WSL and path conversion. No unrelated credentials, binaries, or configuration paths are requested.
- Instruction Scope
- okRuntime instructions and the script only describe/perform locating a pwsh/powershell executable under /mnt and running commands or script files. They reference only expected files (scripts under /mnt or local skill scripts) and utilities (wslpath). No instructions ask the agent to read unrelated host files, environment secrets, or send data to external endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only approach) and the provided install instructions in README are standard git/wget steps pointing to a GitHub repo. No downloads from obscure hosts or extracted archives in the install metadata.
- Credentials
- noteRegistry lists no required env vars (correct). The script optionally respects DEBUG, VERBOSE and a PWSH_PATH override, which are normal optional controls; these are not required credentials. Note: PWSH_PATH is supported by the script but not listed as a required env var — this is benign (an optional override) but worth knowing.
- Persistence & Privilege
- okSkill is not force-included (always: false) and does not request persistent system-wide changes. It does allow executing commands on the Windows host (the intended capability) — this is expected for the skill but is a functional capability, not an unexplained privilege escalation.