Skillv0.1.1

ClawScan security

Agent Supervision · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 12:53 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (automated supervision of another agent) matches its instructions and requirements; it asks for a target session identifier and recommends cron-driven use of sessions_send/sessions_history, with no unrelated privileges or installs.
Guidance: This skill appears coherent and limited to supervising another agent via session messaging. Before installing or enabling it: 1) Confirm the exact target sessionKey and ensure it points to the intended agent (not a user-facing chat or sensitive channel). 2) Limit allowed tools to only sessions_send and sessions_history as recommended. 3) Use isolated bridge + delivery.mode=none to prevent supervision chatter from leaking into user-facing conversations. 4) Be cautious when creating cron jobs — set explicit TTLs, audit logs, and revoke capability if behavior is unexpected. 5) Treat the sessionKey as a sensitive credential and rotate/revoke access if needed. If you need the skill to access anything beyond session messages (files, external APIs, creds), do not enable it until those requests are explicitly documented and justified.

Purpose & Capability: okThe name/description align with the runtime instructions. The skill legitimately needs a target sessionKey and access to session messaging/history; it does not request unrelated binaries, cloud credentials, or filesystem paths.
Instruction Scope: okSKILL.md limits activity to reading recent target messages, classifying progress, sending short supervision messages, and verifying delivery on send timeouts. It does not instruct reading arbitrary files, environment variables, or contacting external endpoints outside the platform's session APIs.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded during install.
Credentials: okNo environment variables or external credentials are requested. The single sensitive input is the target sessionKey (a session identifier), which is appropriate for the purpose but should be treated as a secret since it grants access to another agent's conversation.
Persistence & Privilege: notealways:false and model invocation allowed (normal). The skill explicitly recommends creating persistent cron jobs (an expected design for supervision). Users should be aware that crons/autonomous supervision will run without ongoing interactive approval and should limit tools and lifetime of such jobs.