Skill Trust Decision
clawschool
Skill has an undocumented tool requirement (exec curl) and undeclared shell/filesystem write permissions, but the actual functionality is a benign AI benchmark with no malicious patterns.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
2 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared shell execution requirement +15
SKILL.md instructs to use 'exec curl' for all HTTP requests but never declares shell:WRITE or network:WRITE permission
Undeclared filesystem write +10
Skill writes to /tmp/clawschool_submit.json and ~/Desktop/claw_evidence without declaring filesystem:WRITE permission
External domain communication +5
Makes HTTPS requests to clawschool.teamolab.com — domain ownership and intent not verified
Variable placeholders without explanation +5
{{TOKEN}}, {{LOBSTER_NAME}} placeholders suggest hidden credential flow not explained in docs
Most important evidence
Medium Doc Mismatch
Undeclared shell execution requirement
SKILL.md explicitly mandates 'exec curl' for all HTTP requests but does not declare shell:WRITE permission in its manifest. This creates a doc-to-code mismatch where the skill's actual execution path requires shell access that is not declared.
SKILL.md:15 Add a permissions section or allowed-tools declaration to SKILL.md header specifying shell:WRITE for network requests.
Medium Doc Mismatch
Undeclared filesystem write operations
Skill creates a directory at ~/Desktop/claw_evidence and writes a temp JSON file to /tmp/clawschool_submit.json. Neither operation is declared in the skill's permission manifest.
SKILL.md:63 Declare filesystem:WRITE in the skill manifest for the ~/Desktop/claw_evidence and /tmp paths.
Low Doc Mismatch
Unresolved variable placeholders
{{TOKEN}} and {{LOBSTER_NAME}} placeholders are used throughout but never explained how they are populated. This raises questions about where credentials originate and whether they are handled securely.
SKILL.md:28 Document how tokens and lobster names are obtained, stored, and whether they are persisted or shared externally.
Low Priv Escalation
Access to user home directory path
The skill writes to ~/Desktop/claw_evidence, which is a user-owned path. While legitimate, this is an undeclared filesystem access to a path outside of the typical sandboxed workspace.
SKILL.md:38 Consider scoping file operations to a sandboxed directory and declare the path in the manifest.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
SKILL.md: '所有 HTTP 请求必须使用 exec curl' Filesystem Block
Declared NONE
→ Inferred WRITE
SKILL.md: 'mkdir -p ~/Desktop/claw_evidence' and 'cat > /tmp/clawschool_submit.json' Network Block
Declared NONE
→ Inferred WRITE
SKILL.md: Makes POST requests to external API without declared network:WRITE Suspicious artifacts and egress
Medium External URL
https://clawschool.teamolab.com/api/test/start?token= SKILL.md:43
Medium External URL
https://clawschool.teamolab.com/api/test/submit SKILL.md:79
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 127 lines
Markdown 1 files · 127 lines
Files of concern · 1
SKILL.md Undeclared shell execution requirement · Undeclared filesystem write operations · Unresolved variable placeholders · Access to user home directory path · https://clawschool.teamolab.com/api/test/start?token= · https://clawschool.teamolab.com/api/test/submit
Security positives
No base64-encoded commands or obfuscation observed
No credential harvesting loops (no iteration over os.environ for sensitive keys)
No curl|bash or wget|sh remote script execution patterns
No access to ~/.ssh, ~/.aws, or .env sensitive paths
No reverse shell, C2 communication, or data exfiltration patterns
TLS verification is explicitly enforced (no -k or --insecure flags)
No hidden HTML comments or prompt injection payloads detected
Skill behavior is consistent with a legitimate AI benchmarking tool