Skillv1.0.3

ClawScan security

System Data Intelligence — File · Analysis · Visualization · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 5:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its claimed purpose (file I/O, DB, API, analysis, masking), but its runtime instructions force automatic activation and broad local/remote access without explicit user confirmation which raises operational and privacy concerns.
Guidance: This package appears coherent for file parsing, DB queries, API ingestion, analysis and visualization — the included scripts implement what the SKILL.md promises. However: - SKILL.md / AGENTS.md mandate automatic activation for many common triggers and say 'do not ask user' — that means an agent using this skill could read local files, open Office via COM/AppleScript, connect to DBs/APIs, and write outputs without asking explicit consent each time. Consider whether you want that behavior. - The skill will accept raw DB URLs and API tokens and can send/receive network data. Only provide credentials to this skill if you trust it and the execution environment. Prefer short-lived credentials or read-only accounts for testing. - Inspect and, if possible, run the code in a sandbox/container first (the repo includes docker-compose). Verify that temporary files are actually deleted and that logs don't leak secrets. Run the tests and review scripts/security_utils.py to confirm masking behavior meets your requirements. - On macOS/Windows the readers require granting automation/accessibility permissions; consider the impact before enabling them. - If you want safer operation: require user confirmation before any network/DB call or file access, run the skill with least privilege (container, network restrictions), and do not give production credentials until you are satisfied with its behavior. Given the forced/automatic activation policy and the broad I/O/network capabilities, treat this skill with caution rather than installing it into a fully-trusted, always-connected agent without additional controls.

Review Dimensions

Purpose & Capability: okName/description align with the bundled code and dependencies: the repository contains parsers, platform-specific readers (COM/xlwings/openpyxl), DB connector, API loader, analyzer and viz engine. There are no unrelated required environment variables or external credentials declared in metadata, and requirements.txt matches the claimed functionality.
Instruction Scope: concernSKILL.md / AGENTS.md explicitly mandate automatic use whenever many keywords are mentioned and instruct the agent to 'act' without asking technical questions. The runtime flow instructs reading local files (various formats), invoking COM/AppleScript, calling arbitrary DBs and REST APIs, creating outputs and temp directories, and performing masking. That scope is appropriate for the feature set but the mandatory/automatic invocation + 'do not ask user' policy grants broad discretion to the agent to access local files and external networks and to process sensitive data without explicit user confirmation.
Install Mechanism: okNo remote download/install spec; it's instruction+source bundle included. requirements.txt pins common packages. No use of obscure external URLs or installers; code is local. This lowers supply-chain risk compared to arbitrary remote installs.
Credentials: noteThe skill declares no required env vars. It reasonably expects user-supplied DB connection URLs and API tokens at runtime (APILoader.set_auth_token, DBConnector connection URL). No unrelated credentials are requested in metadata. However the code will accept raw connection URLs/tokens and will use network and DB access if provided, so credentials given to the skill enable broad access.
Persistence & Privilege: notealways:false and standard autonomous invocation are used. The skill writes outputs and temporary files (outputs/, temp dirs) and instructs automatic cleanup, but does not request to modify other skills or global agent settings. The main concern is behavioral: the skill enforces automatic activation and non-interactive operation which increases the chance it will run on sensitive data without prompting.