Skillv1.0.1

ClawScan security

Agent Rpg · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 4:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a consistent RPG GM with local save/load and dice tooling, but the included scripts write files under memory/rpg without sanitizing campaign names (risk of path traversal / arbitrary file writes), so proceed with caution.
Guidance: This skill is coherent with its RPG GM purpose and contains the source of its small helper scripts, but it has a practical security flaw: campaign names (and other inputs) are used directly to construct filesystem paths without sanitization. That can allow path traversal (e.g., campaign names containing '../' or absolute paths) and cause the skill to create or overwrite files outside memory/rpg. Before installing or enabling this skill: - Inspect or run the scripts in a sandboxed environment (container or VM) with limited filesystem permissions. - If you intend to use it, patch scripts/context.py to sanitize campaign names (reject path separators, normalize and resolve the final path, and enforce that the resolved path remains under MEMORY_ROOT). Example mitigations: strip path separators, allow only [A-Za-z0-9_.-], or use path.resolve() and verify it is a subpath of MEMORY_ROOT. - Run the agent with least-privilege filesystem access so the skill cannot overwrite sensitive files. - Because there are no network calls or secrets requested, there's no immediate exfiltration signal, but treat campaign names and other CLI parameters as untrusted input. If you want a safer quick check: run the scripts manually with safe campaign names first and confirm they only create files under memory/rpg as intended.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and included scripts align: a text-RPG GM that uses dice rolls and a simple filesystem-backed state (memory/rpg). No unrelated cloud credentials or binaries are requested and the files (context.py, dice.py, assets, references) match the stated purpose.
Instruction Scope: concernSKILL.md explicitly instructs the agent to invoke the included Python tools (context.py and dice.py) and to store state under memory/rpg/<campaign_name>. That's expected for a save-file-based RPG, but the instructions (and the scripts) allow arbitrary campaign names provided by the user/agent with no sanitization — enabling relative paths like '../' or absolute paths to be embedded in campaign names and potentially write outside the intended memory directory. The instructions also tell the agent to run local scripts via relative paths (e.g., python3 skills/agent-rpg/scripts/context.py), which is expected but elevates the risk if paths/inputs are uncontrolled.
Install Mechanism: okNo install spec; this is instruction+script only. That reduces supply-chain risk because nothing external is downloaded or executed during install.
Credentials: okThe skill requests no environment variables, no external credentials, and no network endpoints. The scope of access (local filesystem reads/writes for game state) is consistent with the stated purpose.
Persistence & Privilege: noteThe skill persists state to disk (memory/rpg/...), which is expected for a campaign save system and 'always' is false. The main risk is the lack of input validation on campaign names and other CLI inputs, which can allow writes outside the intended save folder. The skill does not modify other skills' configs or request elevated privileges.