Skillv0.1.0

ClawScan security

find-bugs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 8:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with a local code-review tool, but the SKILL.md requires the 'git' command and makes brittle assumptions (e.g., branch named 'master', reading full diffs) while the metadata declares no required binaries — this mismatch and a few scope assumptions are concerning and should be fixed before use.
Guidance: This skill looks like a reasonable local code-review checklist, but fix the metadata mismatch before trusting it: declare 'git' as a required binary (or update instructions to handle missing git). Be aware the instructions will read every changed file in the branch — repositories often contain sensitive data (API keys, private certs, large logs). Only run this skill on repositories you trust and avoid running it in environments where reading the repo could expose secrets to the agent's outputs. Also consider updating the SKILL.md to (1) handle repos where the default branch is 'main' or another name, (2) allow the user to confirm the base branch or provide it explicitly, and (3) clarify how to handle very large diffs (paging, limits) to avoid inadvertent data exfiltration. If you want higher assurance, request the author to add explicit required-binaries metadata and a short note describing that the skill reads local files only and does not transmit data externally.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (review local branch changes) matches the SKILL.md instructions, which require running git commands and reading repository files. However, the registry metadata lists no required binaries while the instructions explicitly call 'git diff' and rely on git being available. That mismatch is incoherent: a code-review skill legitimately needs git or an equivalent VCS tool declared.
Instruction Scope: noteSKILL.md gives a detailed, concrete review procedure (get full diff, read every changed file, map attack surface, run a checklist, verify, and report). It does not instruct contacting external endpoints or accessing unrelated system files. Two points to note: (1) it assumes the base branch is named 'master' (many repos use 'main' or other names), and (2) it explicitly tells the agent to read every changed file — which is expected for a repo review but could surface secrets or sensitive data if present in the repo. The instructions are otherwise appropriately scoped to code-review tasks.
Install Mechanism: okThere is no install spec and no code files; this is instruction-only, which is low risk for install-time arbitrary code. Nothing is written to disk by the skill itself.
Credentials: okThe skill declares no environment variables, no credentials, and no config paths. The SKILL.md also does not request secrets or external credentials. This is proportionate for a local code-review helper.
Persistence & Privilege: okThe skill is not force-enabled (always: false) and does not request persistent/high-privilege settings. Autonomous invocation is allowed (platform default) but that alone is not flagged. The skill does not request to modify other skills or system-wide settings.