Skillv0.3.8

ClawScan security

Agent Hand · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (monitoring many agent sessions) is plausible, but the runtime instructions ask you to run an unreviewed remote install script and the registry metadata omits required runtime details (tmux and hooks), creating coherence and supply-chain concerns.
Guidance: This skill is plausible for its stated purpose but has supply-chain and transparency issues. Do not run the provided curl|bash command blindly. Before installing: 1) Inspect the GitHub repository and the exact install.sh referenced (open the raw URL) to see what it writes/executes; 2) Prefer downloading and reviewing the installer locally rather than piping to bash; 3) Run the installer in a sandbox or disposable VM/container first; 4) Verify the repo's owner, commit history, release tags, and community activity (issues/PRs); 5) Confirm what hooks/files the tool will create and whether it needs elevated privileges or access to other agents' config or tokens; 6) Avoid providing any credentials to the tool and don't run it as root. If you want to proceed safely, ask the publisher to add a formal install spec, checksums or signed releases, and to list required binaries/config paths in the registry metadata.

Review Dimensions

Purpose & Capability: noteThe stated purpose (unified dashboard, auto-detecting many agent sessions, hook system) is internally plausible for a local TUI that integrates with terminals/tmux. However, the registry metadata does not list tmux or any required binaries/configs even though SKILL.md explicitly says 'Requires: tmux' and describes automatic detection and hooks. That mismatch (declared requirements missing from registry) is a coherence issue that should be clarified.
Instruction Scope: concernSKILL.md instructs the user to run a curl|bash installer from raw.githubusercontent.com and to run 'agent-hand hooks install' to auto-register hooks for many third-party AI tools. The instructions imply the tool will inspect terminal sessions/processes and integrate with other tools, but they do not describe what system paths, files, or credentials (if any) the hooks will read or modify. Running the installer executes network-fetched code and grants the installed binary persistent ability to inspect sessions and register hooks — this is broader scope than the metadata explains.
Install Mechanism: concernThere is no formal install spec in the registry, but SKILL.md instructs to run 'curl -fsSL https://raw.githubusercontent.com/weykon/agent-hand/master/install.sh | bash'. The source host (GitHub) is a known host, but piping a remote script directly to bash executes arbitrary code with the user's privileges and is a high-risk install pattern. The registry should provide a vetted install spec, checksums, or signed releases instead of a blind pipe.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent with a local dashboard tool. However, because it promises auto-detection and hook installation for many third-party agent tools, it may need to access terminal/process state, tmux sockets, or config files — none of which are listed in the registry's required config paths. The lack of declared runtime access is a transparency gap.
Persistence & Privilege: notealways is false and model invocation is normal. The SKILL.md installer will create a persistent binary and install hooks, giving the tool ongoing system presence and the ability to monitor sessions. That level of persistence is expected for the described functionality, but it should be documented in the registry (what files are written, what hooks are registered) — current documentation is insufficient.