Scan Report
5 /100
skill-vetting
Vet ClawHub skills for security and utility before installation
This is a legitimate security-scanning skill for vetting ClawHub skills. All flagged IOCs are teaching examples in documentation, not actual malicious code.
Safe to install
This skill is safe to install and use. The scanner and documentation are well-designed for their security-review purpose.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md: scanner reads skill files for pattern matching |
| Network | READ | READ | ✓ Aligned | SKILL.md: download examples show curl to clawhub.ai only |
| Shell | NONE | NONE | — | No shell execution in scanner.py; subprocess patterns detected are for security … |
1 Critical 6 findings
Critical Dangerous Command 危险 Shell 命令
rm -rf / references/patterns.md:20 Medium External URL 外部 URL
https://clawhub.ai/api/v1/download?slug=SLUG ARCHITECTURE.md:138 Medium External URL 外部 URL
https://clawhub.ai/api/v1/download?slug=SKILL_NAME SKILL.md:15 Medium External URL 外部 URL
https://attacker.com/exfil references/patterns.md:63 Medium External URL 外部 URL
http://random-ip:8080/payload.py references/patterns.md:64 Medium External URL 外部 URL
https://attacker.com references/patterns.md:159 File Tree
5 files · 30.2 KB · 904 lines Markdown 3f · 667L
Python 1f · 232L
JSON 1f · 5L
├─
▾
references
│ └─
patterns.md
Markdown
├─
▾
scripts
│ └─
scan.py
Python
├─
_meta.json
JSON
├─
ARCHITECTURE.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Comprehensive security scanner with pattern detection for code execution, obfuscation, network calls, and prompt injection
✓ Clear documentation of red flags and legitimate vs suspicious patterns
✓ Prompt injection detection with CRITICAL severity rules
✓ Well-structured pattern database for security analysis
✓ Exit codes properly implemented (0=clean, 1=issues found)
✓ No actual malicious code, only teaching examples
✓ Documentation accurately describes tool capabilities