Skillv1.0.8

ClawScan security

omg · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 1:53 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated passive detection purpose is plausible and mostly coherent, but there are metadata/instruction inconsistencies and some proportionality and operational risks (especially if webhook/email alert channels are enabled) that warrant caution before installing.
Guidance: This skill's purpose (passive detection of distillation-style request patterns and alerting the operator) is reasonable and the instruction-only format keeps install risk low. Before installing: (1) resolve the inconsistency between the platform/registry metadata and the SKILL.md about autonomous invocation and required env vars — confirm the platform will honor disable_model_invocation: true if you require no autonomous runs; (2) confirm exactly which metadata fields the platform supplies (are prompts actually hashed? what salt/algorithm is used?) because 'prompt_hash' may be reversible for short prompts; (3) avoid configuring webhook or email endpoints you don't fully control or trust — alerts could leak aggregate metadata off-platform; (4) request a test run in a non-production environment and inspect the exact alert payloads and logs to ensure no message bodies or identity fields are being included; (5) if you accept the skill, prefer default 'log' channel (local audit log) over external channels and limit alert recipients. If you need further analysis, provide the platform's permissions model and which of the declared metadata fields it actually supplies so I can reassess.

Review Dimensions

Purpose & Capability: noteName and description (anti-distillation, passive detection + alerting) align with the declared runtime behavior: read-only request metadata analysis and operator alerts. Requested permissions in SKILL.md (request_metadata_read, alert_send) are appropriate for this purpose. No unnecessary binaries or unrelated credentials are demanded in the instructions.
Instruction Scope: concernSKILL.md describes only reading metadata fields (timestamps, prompt_hash, request_count, parameter_signature, etc.) and explicitly excludes identity and body fields. However: (1) the outer registry metadata provided with this evaluation lists no required env vars and shows disable-model-invocation=false, while SKILL.md lists optional env vars for webhooks/SMTP and sets disable_model_invocation: true — this is an inconsistency about what the runtime will actually do; (2) the promise to 'never read' identity/request bodies is a behavioral assertion the skill cannot independently enforce — it depends on the platform providing only the listed fields; (3) prompt_hash and other metadata can still be sensitive (hashes may be reversible or linkable by brute force), so the claimed privacy guarantees are partly dependent on platform implementation and hashing strength.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk (nothing is written to disk by the skill).
Credentials: noteSKILL.md declares optional environment variables only for non-default alert channels (webhook URL, SMTP host and credentials, recipient). These are plausible for alert delivery, and SMTP_CREDENTIALS are marked as secret. However, the outer metadata reported 'Required env vars: none' which conflicts with SKILL.md's optional env settings. If a webhook or SMTP is configured, metadata or aggregated alerts could be transmitted off-platform, creating an exfiltration risk of request-pattern metadata; users should ensure they trust the alert endpoint and validate what fields are included in alerts.
Persistence & Privilege: concernSKILL.md sets autonomous: false and disable_model_invocation: true (no autonomous invocation), and always: false — but the registry metadata supplied with the evaluation indicates disable-model-invocation: false (default). This mismatch is material: if the platform honors the registry rather than the SKILL.md, the skill could be invoked autonomously. While the skill claims only passive detection, autonomous invocation combined with external alert channels increases blast radius. There is no request to modify other skills or system settings.