Skillv1.0.0

ClawScan security

Find Skills.Tmp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 14, 2026, 2:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (finding/installing skills) but they recommend running npx to fetch and globally install third‑party packages with flags that skip confirmation, which could lead to arbitrary code execution; proceed with caution.
Guidance: This skill does what it says: it finds skills and tells you how to install them using `npx skills`. However, it also encourages running `npx skills add` with `-g -y`, which downloads and runs third‑party code and installs it globally without prompting. Before installing anything: (1) ask the agent to show the exact install command and the repository/package it will fetch, (2) inspect the package/repo yourself or prefer packages from trusted publishers, (3) avoid global installs when possible (use local installs), and (4) do not allow the agent to run install commands autonomously—require explicit user confirmation for each install.

Purpose & Capability: okName and description align with the actions in SKILL.md: searching and installing skills via the Skills CLI (npx skills find/add). No unrelated env vars, binaries, or config paths are requested.
Instruction Scope: concernInstructions explicitly tell the agent to run shell commands that fetch and install third‑party packages (e.g., `npx skills add <owner/repo@skill> -g -y`). They do not direct the agent to read unrelated files or credentials, but the recommended global install and `-y` skip confirmation flags enable installing and executing remote code without an explicit per‑install approval step.
Install Mechanism: noteThe skill is instruction‑only (no install spec), so nothing is written by the skill itself. However, its recommended workflow relies on `npx`, which dynamically downloads and runs code from package registries/GitHub — a moderate risk because it executes remote code on the host.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does not ask for secrets or unrelated access.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges. Still, its guidance to perform global installs (`-g`) and to skip confirmations increases the chance of persistent, system‑wide changes if the agent executes those commands autonomously.