Skillv2.2.1

ClawScan security

Rotifer Self Evolving Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 1:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared behavior (scan local agent config, query Rotifer API, and recommend upgrades) is coherent, but it fetches and executes an npm package at runtime and reads your local ~/.rotifer configuration — which could expose sensitive data or perform unexpected actions unless you verify the remote code first.
Guidance: This skill is coherent with its stated purpose but relies on running remote code (npx @rotifer/mcp-server) and reading your local agent configuration (~/.rotifer/). Before installing or running it: 1) review the referenced package source on GitHub and verify the npm dist.integrity value; 2) back up and inspect ~/.rotifer for secrets or tokens that could be exposed; 3) run the skill first in an isolated environment (or container) to observe network traffic and file writes; 4) prefer installing only if you trust the Rotifer project or are comfortable auditing the MCP server code yourself. If you cannot verify the remote package, treat the runtime npm fetch as an unacceptable risk.

Review Dimensions

Purpose & Capability: noteName/description match the requested capabilities: scanning local agent configuration, querying Arena rankings, and proposing upgrades. Reading ~/.rotifer and contacting rotifer.dev are consistent with the described purpose. However, the skill delegates core behavior to an npm package fetched at runtime, so the true capabilities depend on that remote code.
Instruction Scope: noteSKILL.md limits actions to listing local agents/genes, comparing against Arena data, and only writing under ~/.rotifer with user confirmation. It explicitly calls out network:outbound and running `npx @rotifer/mcp-server`. The instructions are high-level and delegate the real work to the MCP server package — the runtime behavior is therefore opaque unless you inspect that package.
Install Mechanism: concernNo static install; the skill runs `npx @rotifer/mcp-server@0.8.1` at runtime which downloads and executes code from npm on first use. An npm package is a moderate-risk install mechanism: it is standard but executes remote code. The SKILL.md mentions verifying dist.integrity, which helps, but the runtime fetch remains a notable risk.
Credentials: concernNo env vars or credentials are declared, and the skill claims to use only a Supabase anon key. However, it reads ~/.rotifer/ (local agent configuration) — that directory could contain other skills' configuration, API keys, or tokens. Although the SKILL.md asserts local data won't be transmitted, that guarantee depends on the fetched MCP server code being honest; reading local config is proportional for the feature but raises confidentiality risks.
Persistence & Privilege: notealways is false and there is no install spec writing system-wide files. The skill asserts writes are limited to ~/.rotifer/ and require explicit user confirmation. Autonomous invocation (model calls) is allowed by default; that alone is not flagged, but combined with runtime npm execution it increases blast radius if the fetched package is malicious.