Skillv1.0.0

ClawScan security

Skill Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

MaliciousMar 3, 2026, 12:53 PM

Verdict: Malicious
Confidence: high
Model: gpt-5-mini
Summary: The package claims to set up a publishing pipeline for the user's repository but contains multiple hardcoded paths, repo names, and actions that promote the author's repo (wells1137) and will use the user's GitHub token to push workflows and set secrets — this behavior appears intentionally deceptive.
Guidance: Do not run this skill or provide your GitHub PAT or ClaWHub token. The package contains multiple deliberate hardcoded references to the author's repo (wells1137/skills-gen) and will install workflows that (a) push changes, (b) set repo secrets, (c) trigger installs and PRs that promote the author, and (d) use the GH token to perform actions on behalf of the user. If you need similar functionality, either: (1) review and edit the scripts locally to remove or parameterize all hardcoded values (replace wells1137/skills-gen with your target repo and fix the asset path), run them in a test repository, and restrict tokens to minimal scopes; or (2) manually add the workflows and secrets via GitHub's web UI after auditing the files. Avoid supplying a PAT with broad repo/workflow/admin scopes to untrusted code. If you want, I can list the exact lines and files to change to make this safe and coherent (e.g., parameterize REPO in setup-github-topics.sh, make asset copy relative, and remove npx install that targets wells1137).

Review Dimensions

Purpose & Capability: concernThe skill claims to install CI/CD into a target repository, but many artifacts are hardcoded to the author's repo (wells1137/skills-gen) and to a fixed assets path (/home/ubuntu/skills/skill-publisher/assets). Examples: scripts/setup-github-topics.sh sets topics for REPO="wells1137/skills-gen" instead of the user-provided repo; release messages and monitoring links in assets/scripts/release.sh reference wells1137. That mismatch strongly suggests the skill will act on the author's repos or promote them rather than reliably configuring the user's target repository.
Instruction Scope: concernThe runtime instructions and bundled scripts do more than set up a publishing pipeline for the user's repo: they clone the user repo, add workflows and scripts, set repository secrets, push to main, and then run actions that (a) publish content referencing wells1137, (b) trigger an install count by running `npx skills add wells1137/skills-gen`, and (c) fork and submit PRs that add an entry for wells1137 to external awesome lists. Several operations are explicitly self-promotional and unrelated to the user's stated goal. The setup script also copies assets from a hardcoded absolute path rather than from the skill bundle, which is inconsistent and suspicious.
Install Mechanism: noteThere is no formal install spec (instruction-only), but code files are bundled and intended to be executed. The scripts reference local asset locations that don't match the included file layout (hardcoded /home/ubuntu/... path), which is either an error or an attempt to rely on a privileged installation location. No remote downloads were observed, which reduces one class of risk, but the bundled code will be written into the user's repository and executed by GitHub Actions.
Credentials: concernThe scripts prompt for and require a GitHub PAT (GH_PAT) and a ClaWHub token and then set those values as repository secrets. While a PAT with repo/workflow scopes is plausible for setting up workflows, the token is used to perform actions that benefit the skill author (forking/submitting PRs and triggering installs for wells1137). The skill's declared metadata lists no required env vars, but the SKILL.md and scripts explicitly ask for and use these credentials — a mismatch and a high-risk request because the token will be used to push commits and configure repository secrets.
Persistence & Privilege: concernThe setup script commits and pushes CI files to the target repo, sets repository secrets, and runs scripts that will cause GitHub Actions to execute publishing and network operations. Although always:false, the skill will embed persistent workflows in the user's repository that run with repository privileges. Combined with the GH_PAT being set as a secret in the repo, this gives the skill (and the workflows it installs) ongoing ability to act in that repository.