Skillv0.2.0

ClawScan security

TOSR Publish Then Update Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 6:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (integration test for the clawhub skill lifecycle) matches the instructions, but it omits how it will authenticate and includes destructive actions (publish/update/delete) without safeguards — this mismatch and potential for accidental deletion is concerning.
Guidance: This skill will call clawhub endpoints to create, update, and delete skills. Before installing or running it: (1) confirm whether the agent environment has any clawhub API credentials — if so, do not run this skill against your real account; (2) prefer running it in a locked test account or sandbox where deletions are safe; (3) request that the skill author declare required env vars (API token) and add an explicit dry-run / confirmation step and target slug to avoid accidental deletion; (4) avoid enabling autonomous invocation for this skill unless you trust it and have isolated credentials; and (5) if you must run it, monitor audit logs on clawhub and review created/remaining resources to ensure cleanup.

Review Dimensions

Purpose & Capability: noteName and description claim this is an integration test for the clawhub API and the SKILL.md describes publish/inspect/update/delete operations against clawhub — that is coherent. However, the skill declares no required credentials or env vars even though interacting with a real REST API normally requires authentication; this omission is unexplained.
Instruction Scope: concernThe runtime instructions explicitly direct the agent to perform POST (publish), GET (inspect), update a version, and DELETE a skill on the real clawhub API. These are destructive operations that could affect user-owned resources. The instructions provide no auth details, no safety checks, no dry-run option, and no guidance about which account/slug to target, increasing the risk of unintended changes.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, which minimizes local persistence and install-time risk.
Credentials: concernNo environment variables, credentials, or config paths are declared, yet the skill intends to call clawhub endpoints that typically require authentication. The absence of a declared primary credential or required env vars (API token) is an incoherence that could lead the agent to use whatever clawhub credentials are already present in the environment — a risky and opaque behavior.
Persistence & Privilege: notealways is false (good). The skill is allowed autonomous invocation (platform default). Because the skill performs create/update/delete actions, autonomous invocation increases blast radius if the agent has clawhub credentials, but no explicit privilege escalation setting is present.