ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Citation Anchoring

v1.0.0

Regression-check citation anchoring (citations stay in the same subsection) to prevent “polish drift” that breaks claim→evidence alignment. **Trigger**: cita...

0· 131·1 current·1 all-time
by@willoscar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is a narrow, analysis-only citation anchoring check (read a baseline JSONL and the DRAFT.md, then write a report). However the bundle contains many pipeline definitions and sizeable tooling modules (tooling/*.py, pipelines/*.md, a 275kB quality_gate module, executor logic, etc.). That large pipeline/tooling footprint is disproportionate for a small regression check and suggests the skill is a general pipeline component rather than a minimal, single-purpose checker.
Instruction Scope
SKILL.md itself is well-scoped: it says 'analysis-only', 'Network: none', and describes reading output/DRAFT.md and the baseline JSONL and writing output/CITATION_ANCHORING_REPORT.md. However included code (tooling/executor.py) can run subprocesses (it constructs and runs repo_root/scripts/run.py) and reads/writes many workspace files. The instructions do not explicitly tell the agent to execute arbitrary scripts, but the bundled executor enables that behavior if used — this expands runtime scope beyond the simple file-compare described in SKILL.md.
Install Mechanism
No external install/downloads are declared (no install spec). The skill requires only a Python binary (python3 or python) which is appropriate for included Python code. No third-party network downloads are present in the provided metadata.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That aligns with the described purpose (local file analysis).
Persistence & Privilege
The skill is not marked always:true and uses the platform default (agent-invocable/autonomous allowed). It does not request to modify other skills or system-wide config in the provided files. Still, autonomous invocation combined with executor subprocess logic increases the potential blast radius if misused.
Scan Findings in Context
[subprocess.run] unexpected: tooling/executor.py uses subprocess.run to execute a script at repo_root/scripts/run.py and will capture stdout/stderr to logs. For a narrowly scoped citation-anchor check, executing repository scripts is not expected and expands the skill's runtime capabilities.
[writes_to_workspace_files] expected: The skill and bundled tooling perform file I/O (reading baseline JSONL and DRAFT.md, writing report files). File writes are expected for this purpose, but the toolkit includes wide-ranging helpers (atomic_write_text, update_status_log, backup_existing) that can modify many files in the workspace.
What to consider before installing
This skill's SKILL.md describes a safe, offline check (read baseline JSONL + DRAFT.md → produce an anchor report). However the package includes a large pipeline/tooling codebase and an executor that can run repo scripts via subprocess.run. Before installing or enabling this skill: 1) Inspect repo_root/scripts/run.py (or confirm it does not exist) — that's the executable the bundle may call. 2) Review tooling/executor.py and any entrypoint scripts to understand what will be executed and what files will be touched. 3) If you only need the simple anchor check, consider extracting or running a minimal script that performs the JSONL vs DRAFT.md comparison rather than enabling the entire bundle. 4) Run the skill in a sandbox workspace with non-sensitive files first. 5) If you do enable autonomous invocation, prefer least-privilege workspaces and ensure no secrets or sensitive files are present, because the executor could execute repo-local scripts that perform broader actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk973b7yve01q90gc5fsk93sjc18360n8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binpython3, python

Comments