v1.0.0

Reliable Tool Context

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:11 AM.

Analysis

The skill is transparent about its purpose, but it depends on an unpinned external tool and tells the agent to run arbitrary commands and inline Python queries without clear approval or side-effect limits.

GuidanceInstall only if you trust the `sift-gateway` package and can pin or verify its version. Use the skill with read-only commands unless you explicitly approve a mutating action, review generated Python queries before running them, avoid capturing secrets, and keep `--scope single` unless cross-artifact analysis is truly needed.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

sift-gateway run --json -- <command>

The required workflow wraps an arbitrary placeholder command, and the skill does not add read-only, approval, or side-effect boundaries for the command being captured.

User impactAn agent could use this workflow to run broad local or third-party CLI commands, including commands that change data or environments, unless the user sets separate limits.

RecommendationUse the skill only for commands you intended to run; require confirmation for mutating/destructive commands and prefer read-only inspection commands.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

install spec

[0] uv | package: sift-gateway | creates binaries: sift-gateway

The install spec pulls an external package/binary by name without a pinned version or hash, and the skill's behavior depends on that binary.

User impactA changed or unexpected package version could alter the command capture or code-query behavior users rely on.

RecommendationPin and verify the `sift-gateway` package version and source before installing, especially in sensitive environments.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

SKILL.md

sift-gateway code --json <artifact_id> '$' --code "def run(data, schema, params): return ..."

The workflow executes inline Python supplied through `--code` for artifact queries, but the instructions do not state a side-effect-free review or containment requirement.

User impactGenerated Python queries could do more than summarize artifacts if written unsafely, because the skill does not define an instruction-level boundary against side effects.

RecommendationReview generated code before execution, keep queries side-effect-free, and run the tool in a constrained environment when handling sensitive systems.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

`sift-gateway code` defaults to `--scope all_related`; start with `--scope single` for anchor-only analysis and widen scope only when needed.

The documented default can include related artifacts; the guardrail reduces risk, but widening scope can propagate a mistaken or poisoned capture into broader analysis.

User impactA bad capture or wrong artifact could influence analysis across related artifacts if the scope is widened unnecessarily.

RecommendationUse `--scope single` by default, verify artifact IDs, and only perform cross-artifact joins when the user explicitly needs them.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityInfoConfidenceHighStatusNote

README.md

Create a ClawHub API token. Add repository secret `CLAWHUB_TOKEN` in GitHub

This credential is documented for an optional maintainer sync workflow rather than normal runtime use, but it is still account authority users should not confuse with installation requirements.

User impactA user following the maintainer sync section could grant publishing access to ClawHub.

RecommendationOnly create or store a ClawHub token if you are maintaining the publishing workflow; use least-privilege tokens and do not treat this as required for normal skill use.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Capture output as an artifact ... Keep only `artifact_id` plus a short summary in prompt context ... Never paste raw captured payloads back into context.

The skill intentionally stores command output outside prompt context and references it by artifact ID; this reduces prompt exposure but still creates stored artifacts that may contain sensitive output.

User impactSecrets or sensitive data printed by commands may remain in artifacts even if they are not pasted into the chat context.

RecommendationAvoid capturing secrets, use focused queries, and clear or limit retention of artifacts according to your workspace policy.