Skillv0.6.1

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 9:04 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-first Python-based security scanner and its requirements and behavior are coherent with that purpose.
Guidance: This tool appears to do what it says: it reads a skill directory and flags dangerous patterns. Before using it, keep in mind: (1) it will read every file you point it at — don't scan directories that contain private keys or secrets you don't want loaded by a third-party script; run the scanner in an isolated/sandboxed environment if you are unsure. (2) The scanner intentionally suppresses or reduces severity for patterns inside strings, docs, and pattern-definition blocks (to avoid false positives). That behavior is reasonable for a scanner, but it can be abused by a malicious author who formats dangerous code to look like a pattern definition or comment — treat its 'A'/'B' grade as a starting point and manually inspect any high-sensitivity items the scanner flags, especially undeclared permissions (gateway, write, nodes, edit, etc.). (3) Reports embedded in the package appear to be snapshots (older version numbers in reports); prefer running the bundled scanner yourself rather than relying on packaged reports. Overall: the package is coherent with its purpose, but do manual review and run it in a safe environment when scanning untrusted skill directories.
Findings: [base64_decode] expected: The scanner advertises anti-obfuscation analysis and explicitly decodes base64/hex to re-scan decoded content. The static finding of base64.b64decode in scripts/scan.py is consistent with that feature and not unexpected.

Review Dimensions

Purpose & Capability: okThe name/description (skill-shield, security auditor) matches the code and SKILL.md: it ships a Python scanner (scripts/scan.py) and test harness. There are no unrelated environment variables, binaries, or install steps requested. The scanner's permission-audit feature explains why it will compare declared SKILL.md permissions to tools discovered in code.
Instruction Scope: noteThe runtime instructions tell the agent to run python3 scripts/scan.py on a skill directory — that naturally requires reading all files under the supplied directory (including .env, scripts, docs, etc.). This is expected for a scanner, but you should be aware it will read any sensitive files placed in the scanned directory. The SKILL.md and scanner also intentionally decode base64/hex to detect obfuscation (explains the base64 decode finding).
Install Mechanism: okNo install spec or third-party downloads are present; the tool is instruction-only and provides Python scripts. This is the lowest-risk install mechanism. It assumes a Python3 runtime available on PATH.
Credentials: okThe skill declares no required environment variables or credentials. The scanner does look for credential-like strings (e.g., .ssh, .aws) inside scanned content but does not itself request secrets. This is proportionate to an auditing tool.
Persistence & Privilege: okThe skill does not request permanent inclusion (always: false). It does not modify other skills or system-wide settings. Model invocation is allowed (default), which is normal for skills; there are no additional elevated privileges requested.