Back to skill
Skillv0.2.0
ClawScan security
TOSR Publish Then Update Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 6:21 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (exercise the clawhub skill lifecycle) matches its instructions, but the SKILL.md is ambiguous about the API host and authentication and would cause destructive actions (create/update/delete) against a 'real' clawhub endpoint without declaring required credentials or safeguards.
- Guidance
- This skill will attempt to create, update, inspect, and delete skills via the clawhub REST API but does not specify which host or how to authenticate. Before installing or running it: (1) Do not run this against a production clawhub instance. (2) Ask the author to provide the base URL and explicit authentication requirements (what env vars or token are needed) and to declare them in requires.env. (3) Prefer running the test in an isolated/staging environment you control and verify cleanup behavior. (4) If you can't get clear auth/host instructions, decline installation — the skill could perform destructive actions unintentionally. (5) Consider disabling autonomous invocation until you confirm safe defaults and credentials.
Review Dimensions
- Purpose & Capability
- concernThe skill's purpose is an integration test that creates, updates, inspects, and deletes skills via the clawhub REST API — that capability is coherent with the name/description. However, exercising the clawhub API typically requires a base URL and authentication; the skill declares no required environment variables, no primary credential, and gives only relative endpoints (e.g. POST /api/v1/skills) with no host or auth instructions. The lack of declared credentials or target host is inconsistent with the stated capability.
- Instruction Scope
- concernSKILL.md explicitly directs the agent to perform destructive operations (publish, update, delete) against the 'real clawhub API' but provides no host, auth, headers, rate-limit/safety checks, or rollback/confirmation steps. That leaves broad discretion to the agent and risks unintended mutations on a production registry if run. The file also claims ephemeral cleanup but gives no mechanism or guarantees.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, which minimizes installation risk — nothing is downloaded or written to disk by the skill itself.
- Credentials
- concernNo environment variables or credentials are declared despite the skill needing to call protected API endpoints to create/update/delete skills. That mismatch is suspicious: the skill either assumes implicit platform-provided credentials (not documented) or omits required sensitive inputs, both of which are problematic.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and is user-invocable. Autonomous invocation (model-invocation allowed) is the platform default; by itself this is not a new privilege. Still, autonomous execution combined with the destructive API calls described above increases risk if the skill were run without review.