Back to plugin
Pluginv1.0.0
ClawScan security
Custom Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 16, 2026, 3:06 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin mostly matches its description (task, skill, LSP, config tools) and requests no credentials, but parts of the implementation are truncated/unclear and the MCP/stdio features could enable network calls or local command execution not fully visible in the provided files — review the full code before installing.
- Guidance
- Before installing, review the full index.ts (the provided file was truncated) for any occurrences of native process execution (child_process.spawn/exec), filesystem reads (fs.*), or unrestricted HTTP/network clients (fetch/http.request) that could contact arbitrary endpoints or run local commands. If you see stdio/command-based MCP implementations, ask whether you actually need that capability — it can execute local commands if misused. Only configure MCP servers you trust, and avoid providing secrets to untrusted servers. If you cannot review the full source, install in a sandboxed environment with limited network and process permissions or decline installation.
Review Dimensions
- Purpose & Capability
- noteName/description align with the code: the plugin implements task management, skill listing/loading (simulated), LSP helper tools, config management, and an MCP client. No environment variables or unrelated binaries are requested. Minor mismatch: SKILL.md and skill_load indicate dynamic loading of SKILL.md files, but the visible skill_load implementation only returns simulated entries rather than actually loading files. The MCP tools accept HTTP URLs and stdio command strings — this is plausible for an MCP client, but it means the plugin can be configured to contact arbitrary servers or (potentially) run local commands if implemented.
- Instruction Scope
- noteThe SKILL.md contains only normal usage instructions and install steps; it does not instruct the agent to read unrelated files or exfiltrate data. The provided index.ts registers many tools and stores tasks in-memory; the visible code does not access environment vars or arbitrary file paths. However part of index.ts was truncated in the provided listing, so we cannot confirm whether later code performs network calls, spawns processes, reads sensitive files, or accesses other system state.
- Install Mechanism
- okNo install spec is provided (instruction-only install), so nothing is downloaded or written by an installer; the plugin includes source files (index.ts) which will be loaded by the platform. There are no external download URLs or extract steps in the manifest. This is low-risk from an install-sourcing perspective.
- Credentials
- okThe skill declares no required environment variables, primary credential, or config paths. That is proportional to its stated functionality. Note: MCP tools accept user-supplied server URLs/commands — while the plugin doesn't require secrets, if you configure MCP servers you may supply credentials externally; the plugin does not declare or request them.
- Persistence & Privilege
- okFlags show always:false and the plugin does not request permanent elevated privileges. The code registers tools scoped to the plugin; there is no evidence it modifies other plugins' configs or requests global system changes in the visible portion.