Skillv0.1.0

ClawScan security

Zsxq Shared · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 2:31 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a CLI auth helper, but missing provenance, a metadata mismatch about required binaries, and the claim of a permanent keychain token raise prudence flags before install.
Guidance: This skill appears to be a straightforward CLI auth helper, but take these precautions before installing: 1) Verify the zsxq-cli binary comes from a trusted source (the skill gives no homepage/source). 2) Confirm the registry metadata is corrected (SKILL.md requires zsxq-cli but the registry entry omitted it). 3) Be aware the skill claims tokens are permanently stored in your system Keychain — prefer short‑lived tokens or ensure you can revoke them. 4) Do not allow the agent to perform writes (post/delete) without explicit confirmation; the SKILL.md mentions confirming writes, enforce that. 5) If possible, run login locally yourself rather than letting the agent run background auth, and ask the skill author/maintainer for source code or a homepage to establish provenance. If you need higher assurance, request the skill be updated to document how to obtain zsxq-cli, token lifetime and revocation, and add a source repository or homepage.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes CLI-based auth/login/status/diagnostics for zsxq-cli and the commands are consistent with that purpose. However, the registry metadata earlier listed no required binaries while SKILL.md includes a metadata.requires bins: ["zsxq-cli"] — that's an internal inconsistency. Also the skill's source/homepage are unknown, which reduces provenance.
Instruction Scope: okInstructions are limited to running zsxq-cli commands (auth login/status, doctor, config show, api call/raw). The agent is told to run auth login, present the returned verification link to the user, and wait — no instructions to read arbitrary system files or exfiltrate data. It does suggest using raw API calls (which is reasonable for a CLI helper).
Install Mechanism: okThis is instruction-only with no install spec (lowest disk/write risk). That said, it requires the zsxq-cli binary to be present; SKILL.md does not provide where to obtain it and the skill has no homepage/source, so the provenance and trustworthiness of the expected binary are unknown.
Credentials: noteThe skill declares no environment variables or external credentials. It does state tokens are stored in the system Keychain and '永久有效' (permanently valid). Long‑lived tokens increase risk if compromised; the skill does not instruct how to rotate or revoke tokens. No unexplained credential requests are present, but the permanence claim is a security/privacy concern.
Persistence & Privilege: okalways is false and there is no install that would grant persistent system presence. The skill does not request modifying other skills or system-wide settings. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal — combine this with the other notes when deciding.