Skillv1.0.0

ClawScan security

evolving skill creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 3:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (create and evolve other agent Skills) matches its instructions, but several runtime instructions recommend persistent automation and unsafe flags (cron, --dangerously-skip-permissions) and direct the agent to read private memory paths — these behaviors expand its effective privileges and deserve caution.
Guidance: This skill is functionally coherent: it really does what it says (assist creating and evolving other Skills). But pay attention before enabling automation or granting directory/tool permissions. Do not enable cron/launchd/systemd/GitHub Actions tasks until you: (1) inspect memory/private/backlog.md and agents-registry.md to see what data and child agents exist; (2) choose Option A (keep memory/output inside the skill directory) for isolation if you want to limit access; (3) refuse use of flags like --dangerously-skip-permissions and avoid pre‑authorizing broad tool sets — instead explicitly approve each tool/permission; (4) require manual confirmation for bulk operations (e.g., 'review all' or automated upgrades); and (5) prefer least-privilege: restrict any scheduled runs to a controlled sandbox and cap external executor credentials/budgets. If you want lower risk, keep the skill manual-only (do not schedule ticks) and review all created SKILL.md and output files before applying changes. If you can provide evidence that scheduled tasks will run in a sandbox and that any 'self-modification' or upgrade steps require explicit human approval, my confidence that the skill is safe would increase.

Review Dimensions

Purpose & Capability: noteThe name/description (an 'evo-skill-creator' that builds self‑evolving agents) aligns with the SKILL.md content: it describes creating child agents, registering them, running learn/scan/review/go flows and maintaining memory and reports. Requiring access to memory files, agents-registry, and output/report files is coherent for this purpose. No unrelated environment variables or external credentials are required by the manifest.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to read many local files (scene-index.md, memory/private/README.md, memory/private/backlog.md, memory/private/agents-registry.md) and to write persistent logs/reports. It also prescribes automating periodic runs (cron/launchd/systemd/GitHub Actions) and gives examples using tool flags such as --allowedTools and the dangerous --dangerously-skip-permissions. While reading its own memory is expected, references to 'private/' paths and suggestions to skip permission checks and auto-schedule autonomous runs broaden scope and risk unexpected data access or privileged actions if the user enables them.
Install Mechanism: okThis is instruction-only (no install spec, no code files to execute). That lowers supply-chain risk because nothing is downloaded or installed automatically. The skill does instruct using external CLIs (claude, opencode) but does not require them via the package manifest.
Credentials: noteThe registry metadata requests no environment variables or credentials, which is proportionate. However SKILL.md references external executors and environment signals (examples mention CLAUDE_CODE_TASK_LIST_ID, --allowedTools flags etc.) that are not declared; the skill may prompt the user to configure executor-specific credentials later. Absence of declared secrets is good, but the instructions can lead users to grant broader tool/credential access during setup — so watch for later requests for executor tokens or dangerous permission flags.
Persistence & Privilege: concernalways:false and default autonomous invocation are normal, but the skill explicitly encourages persistent automation (cron, launchd, GitHub Actions, tick scripts) and recommends parameterizing allowed tools or skipping permission checks. Combined with the skill's ability to create/upgrade many child agents and to register/iterate them (review all, bulk upgrades), this can increase blast radius if scheduled runs are enabled or dangerous flags are used. The manifest itself does not enforce persistence, but the guidance would lead a less technical user to grant ongoing privileges.