Skillv1.1.0

ClawScan security

Code Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 7:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (posting code to aiprox.dev for auditing) but it routes repository code to an external service and claims to audit "any GitHub repo" while only requesting a spend token — raising privacy and credential-mismatch concerns.
Guidance: This skill will send any code or public repo URL you provide to a third-party endpoint (aiprox.dev) and uses AIPROX_SPEND_TOKEN for payment/auth. Before installing: (1) confirm you are comfortable uploading code (do not send private repo contents or secrets); (2) verify the aiprox.dev service and its privacy/security policy and who operates it (homepage is given but source is unknown); (3) understand that private GitHub repos likely require separate credentials — the skill does not request a GitHub token, so clarify how private repos are supported; (4) test on non-sensitive public code first and avoid sending secrets or private keys. If you need audits to stay local, use a local/offline auditing tool instead.

Review Dimensions

Purpose & Capability: noteThe declared purpose (auditing code/repos) matches the instructions to POST code or a repo URL to aiprox.dev and use AIPROX_SPEND_TOKEN for payment. However, the SKILL.md claims it can audit "any GitHub repo" but does not request a GitHub token or explain how it will access private repositories. That discrepancy (public vs. private repo access) is unclear and should be clarified.
Instruction Scope: concernRuntime instructions explicitly direct the agent to upload repository contents or raw code to https://aiprox.dev/api/orchestrate with the X-Spend-Token header. Sending code to a third-party service is consistent with an auditor but is a sensitive operation: private code, secrets, or proprietary IP could be transmitted. The SKILL.md asserts "No code is executed," but the agent cannot verify that on its own — the only observable behavior is network transmission of the code to a remote service.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk or installed by the skill itself. This minimizes local-install risk.
Credentials: noteThe skill requests a single environment variable (AIPROX_SPEND_TOKEN) which is proportional for a paid, networked auditor. Still, the token is sensitive (used for payment/auth) and grants the service the ability to be invoked; there is no clear, declared support for providing GitHub credentials for private repos, which is a functional gap rather than excessive permissioning.
Persistence & Privilege: okThe skill is not forced-always enabled (always: false) and does not request persistent or elevated agent privileges. Autonomous invocation is allowed (the platform default) but not combined with other high-risk indicators here.