Pluginv1.0.0

ClawScan security

GOG Extended · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 30, 2026, 4:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only workspace/onboarding guide (not a networked integration), but its runtime instructions include conflicting guidance about when to ask permission and explicitly encourage reading, editing, committing, and pushing workspace files — actions that could expose or transmit private data despite no declared credentials or install steps.
Guidance: What to consider before enabling/using this skill: - This is a documentation/onboarding skill that tells an agent to read and write many workspace files (memory, IDENTITY.md, USER.md, etc.). If you value privacy, review those files first and remove secrets. - The skill tells the agent to 'commit and push your own changes' and to assist with connecting external accounts, but it does not declare how pushes or external auth would be authorized. Do not leave git credentials, deploy keys, or tokens in the agent runtime environment if you don't want pushes to occur. - The instructions contain conflicting guidance ('Don't ask permission. Just do it.' vs. 'Ask first for external actions'). Treat the agent as capable of taking proactive file-system actions; if that is not acceptable, disable autonomous invocation or avoid granting the runtime environment write/push credentials. - Recommended safe steps: run this skill in a sandboxed workspace, scan the workspace for secrets before use, remove or lock sensitive files, and restrict or remove any CI/SSH/git credentials from the environment. If you plan to allow pushes, audit what will be committed and where it will be pushed. If you want a firmer assessment, provide the runtime environment details (does the agent have git credentials, network access, or any tokens mounted?), and say whether autonomous invocation will be allowed; that will change the confidence of this evaluation.

Review Dimensions

Purpose & Capability: noteThe files are an onboarding/workspace persona (read/write/update MEMORY.md, BOOTSTRAP.md, etc.). That purpose is plausible for an assistant, but the skill name/one-line description ('gog-extended') do not describe this behavior clearly — the metadata is minimal compared with the large set of runtime instructions that grant broad local file access.
Instruction Scope: concernSKILL.md/AGENTS.md direct the agent to read many workspace files (memory, IDENTITY.md, USER.md, etc.) and to perform proactive tasks (git status, 'commit and push your own changes', check email/calendar/social). It also says 'Don't ask permission. Just do it.' at startup while elsewhere urging caution around external actions — this is inconsistent and grants the agent broad discretion to read and modify potentially sensitive local data and to take actions that could leave the workspace (push/QR/code flows).
Install Mechanism: okInstruction-only skill with no install spec, no binaries, and no code files — low installation risk because nothing is fetched or executed by a supplied installer.
Credentials: noteThe skill declares no required environment variables or credentials, yet the instructions assume the agent can commit/push changes and optionally connect external accounts (show QR codes, guide bot creation). That mismatch is notable: pushing or account linking requires credentials or external flows which are not declared or discussed, creating ambiguity about how those actions would be authorized.
Persistence & Privilege: notealways:false and no automatic installation privileges are good. However, the instructions explicitly encourage modifying/deleting workspace files (delete BOOTSTRAP.md, update MEMORY.md) and committing/pushing changes. Those are normal for an assistant with workspace write access but raise a privilege concern if you did not intend the agent to autonomously change or publish files.