Skillv1.0.1

ClawScan security

Yidun Skill Sec · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 10:27 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (a hybrid local-cloud security scanner) matches its requirements, but important runtime behaviors (local redaction, what snippets are uploaded, and exact file-read scope) are only described in prose with no code to verify — this creates a non-trivial risk of sensitive-data exposure unless you audit or restrict it.
Guidance: This skill appears to do what it says (a hybrid local-cloud scanner) and only needs curl/jq/openssl. The main risk is data you may not expect it to send: the SKILL.md says it uploads redacted code snippets and tags to a third‑party endpoint (as.dun.163.com). Because there is no implementation included, you cannot verify the redaction or exact upload rules. Before installing or enabling cloud mode: 1) Prefer running scans offline (set YIDUN_SKILL_SEC_CLOUD=false) on sensitive code or in an isolated environment. 2) If you plan to enable cloud analysis, test it first on non-sensitive packages to confirm what is sent. 3) Ask the author or vendor for the scanner implementation (or review it) to verify the local redaction pipeline and the exact file-read policies. 4) Limit network access (e.g., firewall) if you cannot audit the implementation. 5) If you use this skill in high-sensitivity contexts, require that cloud uploads be disabled or that the vendor provides a signed, auditable client implementation. These steps will reduce the chance that secrets or unexpected data are exfiltrated.
Findings: [NO_CODE_FILES] expected: This is an instruction-only skill; the regex-based scanner had no code files to analyze. That means claims about local redaction and upload behavior cannot be validated by the static scan.

Review Dimensions

Purpose & Capability: okName/description (security scanner) align with required binaries (curl, jq, openssl) and with the SKILL.md: cloud checks, fingerprinting, and static analysis reasonably require network calls and hash computation.
Instruction Scope: noteSKILL.md instructs the agent to read package files, compute fingerprints, run behavioral analysis, and upload redacted evidence (hashes, tags, and code snippets) to as.dun.163.com. That is coherent for a scanner, but the redaction pipeline and exact rules for what is/ isn't uploaded are only described textually — there is no code to verify that full sources, credentials, or other sensitive artifacts will never be uploaded. The scanner also mentions detecting accesses to agent memory and sensitive paths; if implemented poorly, the scanning step itself could read sensitive files. Summary: behavior is expected for the purpose, but the absence of verifiable implementation details raises privacy/exfiltration concerns.
Install Mechanism: okInstruction-only skill (no install spec, no code files) — this is low-risk from an installation/execution perspective because nothing is written or executed by default. Requires standard CLI tools only; no downloads from arbitrary URLs.
Credentials: okThe skill does not request credentials or privileged environment variables. Declared optional env vars (YIDUN_SKILL_SEC_CLOUD, TRUSTED_REGISTRIES, LOG_PAYLOAD) are reasonable for toggling cloud behavior and trusted hosts.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent system-wide privileges or to modify other skills. Autonomous invocation is allowed by platform default but is not combined with other privilege escalations here.