Skillv1.0.0

ClawScan security

Php Sql Fixer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 5:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (scan and suggest fixes for PHP/Yaf SQL injection) matches the provided scanner and docs, but the runtime instructions reference a missing helper script and a hard-coded, machine-specific Docker compose path — signs the package is incomplete or sloppily packaged and needs closer inspection before use.
Guidance: This package mostly contains a reasonable SQL-scanner for PHP/Yaf, but it appears incomplete and somewhat sloppy. Before installing or running it: 1) Do not run anything as root or against production code — test on a cloned repo. 2) Verify the missing file: look for scripts/suggest_fix.php (referenced in SKILL.md); if absent, ask the publisher or obtain the helper before relying on automatic fixes. 3) Remove or update the hard-coded docker-compose path in the docs — it references the author's machine and will fail on your machine. 4) Inspect scripts/scan_sql.sh yourself (it uses grep) — it performs only local file scanning and prints a report; there are no network calls in the included files. 5) If you plan to apply fixes, review each suggested change manually and run php -l and your test suite in a safe environment. If the missing helper is supplied later, re-run a security review on that file before use.
Findings: [missing-referenced-file:suggest_fix.php] unexpected: SKILL.md and the generated report instruct running php "$SKILL_DIR/scripts/suggest_fix.php" but no suggest_fix.php is present in the file manifest. If the helper is required for 'Fix' functionality, its absence makes the packaged skill incomplete. [hardcoded-docker-path] unexpected: SKILL.md uses a hard-coded docker compose file path (/mnt/d/Users/Public/.../docker-php7.3/docker-compose.yml) that appears to be an author-specific environment and is not generally applicable to users. This is not necessary for the skill's scanning functionality and may confuse users.

Review Dimensions

Purpose & Capability: noteName and description match the included scanner logic and fix-patterns documentation. The declared required binaries (bash, grep, php) mostly make sense for scanning and for the referenced PHP helper, but the code bundle only contains a bash scanner and the PHP suggestion script referenced in SKILL.md is not present — a mismatch between claimed capabilities and included files.
Instruction Scope: concernSKILL.md stays within the stated domain (scan, triage, generate fixes) but instructs running a PHP helper (suggest_fix.php) that is not included and contains a hard-coded, author-specific docker-compose path (/mnt/d/Users/Public/.../docker-php7.3/docker-compose.yml). The docker path is unrelated to the skill itself and reveals a host-specific command that won't work for most users; this suggests poor hygiene or incomplete packaging. Other instructions (open files, check superglobals, run curl tests) are appropriate for the task.
Install Mechanism: okInstruction-only skill with no install spec and no remote downloads — low install risk. The only included executable artifact is a bash scanner script; nothing is written to disk by an installer.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill only requires local binaries (bash, grep, php) which are proportional to a source-code scanner and PHP helper.
Persistence & Privilege: okalways:false, user-invocable true, and no code that modifies other skills or system configs. The skill does not request persistent privileges or autoregistration.