Pluginv0.0.1

ClawScan security

SF Plugin Curated Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 1:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The bundle is a large, coherent Salesforce skill collection, but the runtime instructions assume access to Salesforce orgs, CLI tools, and libraries (Mermaid renderer, Polars/PyArrow, etc.) that are not declared or scoped — review before granting org credentials or shell access.
Guidance: This bundle contains many Salesforce-focused guides and runtime instructions that assume access to your Salesforce org(s), the sf CLI, Python tools, and analysis libraries (Polars/PyArrow) even though none of those are declared as required environment variables. Before installing or enabling this skill: 1) Do not provide production org credentials; test in a sandbox. 2) Confirm how your host supplies Salesforce auth (stored secrets, interactive oauth, CLI alias) and whether the skill will be allowed to run destructive commands (create/update/delete). 3) If your agent host can run shell commands, review the referenced scripts (scripts/*.py, build/test commands) to ensure they are safe; run them locally in an isolated environment first. 4) Expect the skill to request tokens / target-org aliases at runtime — only grant least-privilege access and limit scope/expiry. 5) If you need only offline/script generation, explicitly instruct the skill to stay in 'script generation' mode to avoid remote execution. If you want me to, I can list the exact SKILL.md files that request remote org actions and the specific commands they reference so you can audit them.

Review Dimensions

Purpose & Capability: noteThe package purpose (Salesforce skill bundle / plugin wrapper) matches the included SKILL.md files: many sf-* skills for Apex, Flow, Data, Observability, Diagrams, etc. However, many skills explicitly require platform capabilities (Salesforce org access, Data 360, JWT/ECA auth), host tooling (Salesforce CLI, Python), or renderers (Mermaid-capable renderer) that are not declared in the bundle metadata. That omission is a mismatch worth noting but could be an artifact of being instruction-only.
Instruction Scope: concernSKILL.md content instructs the agent to run CLI commands (sf data, sf apex), execute Python scripts in the repo, extract production telemetry (Parquet/STDM), and perform remote org operations unless the user requests local-only script generation. These instructions can act on remote org data and request org alias/auth and file paths; yet there is no explicit, centralized description of how credentials are obtained or consented to. The instructions also suggest writing local artifacts (generated persona files) and running build/test scripts.
Install Mechanism: okThere is no install spec and no code files executed by an automated installer; this is instruction-only content and the repository files are packaged as-is. That lowers installer risk because nothing will be downloaded/installed automatically by the bundle itself.
Credentials: concernThe skill metadata declares no required env vars or primary credential, but many skills clearly require sensitive credentials or access (Salesforce org auth, JWT/ECA, Data 360 permissions, possibly API tokens). The absence of declared environment/credential requirements is disproportionate to the operational needs described in the SKILL.md files and could lead to ad-hoc requests for sensitive tokens at runtime.
Persistence & Privilege: noteThe bundle is not always-enabled and does not request elevated platform privileges. Several agent manifests set allow_implicit_invocation:true which permits the host to implicitly route relevant intents to these skills (expected for skill bundles). Some skills describe writing generated artifacts to local paths (e.g., _local/generated/...), which is typical for authoring workflows but means files will be created if the agent is allowed to execute tooling.