Skillv0.2.0

ClawScan security

Supercoder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 5:10 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (implement features end-to-end) broadly matches its allowed capabilities, but the runtime instructions contain a few concrete inconsistencies and safety-relevant ambiguities you should understand before installing.
Guidance: This skill is designed to read, modify, and test a codebase and largely does what it says — but inspect a few things before installing or enabling it: 1) Make sure your runtime provides the CLAUDE_SKILL_DIR (or equivalent) and understand what directory it will point to; the SKILL.md references it but the variable is not declared. 2) Clarify the contradictory rule about file paths: the docs forbid 'inventing' file paths while the Implement phase expects creating new files — ask the author how new files should be named and referenced. 3) Because the skill can run Bash and WebFetch, run it in a sandboxed environment (or restrict network access) until you confirm its behavior; these tools can modify repo files and send data externally. 4) Require human review/approval checkpoints (the skill does include AskUserQuestion points, but ensure you actually pause and review the first increment and design choices). 5) If you need higher assurance, ask the publisher for explicit runtime requirements (env vars, working directory) and for a minimal test run log demonstrating the workflow in a safe repo. If you want, I can draft exact questions to ask the skill author or suggest a safe execution policy to apply before enabling it.

Review Dimensions

Purpose & Capability: okName/description (AI pair programmer that analyzes requirements and implements code) aligns with the allowed tools (Read/Write/Edit/Bash/LSP/TaskCreate/Agent/WebFetch/etc.) and the six-phase workflow; no unrelated credentials or binaries are requested.
Instruction Scope: concernThe SKILL.md instructs aggressive repository access and modification (reading, editing files, running tests via Bash, spawning subagents) which is expected for an implementer, but two problematic items stand out: (1) it references ${CLAUDE_SKILL_DIR} as the path for reference files (and for reading the codebase) yet the skill declares no required environment variables — the skill will rely on a runtime-provided env var that is not declared; (2) it contains a hard constraint 'Every file path in outputs must reference actual files in the project. Never invent hypothetical paths.' which conflicts with the Implement phase that explicitly creates new files and edits — this is contradictory and unclear for runtime behavior. Also, WebFetch + Bash allow network I/O and shell execution which can exfiltrate data if misused; the instructions themselves don't limit external endpoints beyond 'fetch requirement URLs', so consider network restrictions.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk install surface (nothing is downloaded or written to disk at install time).
Credentials: concernThe skill declares no required environment variables, but the instructions rely on ${CLAUDE_SKILL_DIR} to locate reference docs and (presumably) the project tree; that env var is not declared or justified. The skill also grants broad tool access (file I/O, Bash, WebFetch) but requests no credentials — which is reasonable for local repo work, yet the missing declared env var and broad I/O capability create an ambiguity about what runtime context and permissions the skill expects.
Persistence & Privilege: okalways:false (no forced global presence). The skill can be invoked autonomously (default), which is the platform normal; it does not request to modify other skills or system-wide configs in the instructions.