Trust Assessment
clawgle received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 2 medium, and 2 low severity. Key findings include Unpinned npm dependency version, Node lockfile missing, Configurable API endpoint and arbitrary file read allows potential data exfiltration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Configurable API endpoint and arbitrary file read allows potential data exfiltration The skill is designed to read content from user-specified files (or stdin) for analysis and publishing. The target API endpoint (`CLAWGLE_API_URL`) can be overridden via an environment variable. If an attacker can control the `CLAWGLE_API_URL` and trick the agent into providing a path to a sensitive local file, the content of that file could be exfiltrated to a malicious server. While the skill includes a `privacyScan` feature to detect and block sensitive content, this feature can be disabled via configuration (`--privacy-scan=false` or `privacyScan: false` in `~/.clawgle.json`), potentially bypassing the protection. 1. **Stronger `privacyScan` enforcement**: Consider making `privacyScan` harder to disable or requiring explicit user confirmation for publishing when it's disabled. 2. **Agent-side validation**: Advise agents using this skill to implement their own checks before providing file paths or confirming publication, especially if `CLAWGLE_API_URL` is not the default. 3. **Scope limitation**: If possible, limit the directories from which files can be read (e.g., only within a specific project workspace), though this might hinder legitimate use cases. 4. **User awareness**: Clearly document the implications of disabling `privacyScan` or overriding `CLAWGLE_API_URL`. | LLM | clawgle.ts:18 | |
| MEDIUM | Unpinned npm dependency version Dependency 'tsx' is not pinned to an exact version ('^4.21.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/andrewbouras/clawgle/package.json | |
| MEDIUM | Skill designed to read arbitrary local files The `clawgle analyze` and `clawgle publish` commands are designed to accept arbitrary file paths from the user/agent. This grants the skill the ability to read any file accessible to the agent's process. While this is necessary for the skill's core functionality (analyzing and publishing code), it represents a powerful permission that could be exploited if an agent is tricked into providing paths to sensitive system files or credentials, especially if combined with a malicious `CLAWGLE_API_URL` and a disabled `privacyScan`. 1. **Agent-side sandboxing**: Recommend that agents execute this skill within a sandboxed environment with restricted file system access. 2. **User confirmation**: For publishing, ensure the agent always confirms with the user, especially when sensitive content is detected or `privacyScan` is off. 3. **Clear documentation**: Emphasize the file access capabilities and the importance of `privacyScan`. | LLM | SKILL.md:40 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/andrewbouras/clawgle/package.json | |
| LOW | Dependencies pinned with caret (`^`) operator The `package.json` uses the caret (`^`) operator for `tsx` and `typescript` dependencies. This allows for automatic updates to minor and patch versions. While convenient, it introduces a slight risk that a new version within the allowed range could contain a vulnerability or breaking change not present in the exact version tested. For security-critical components, exact pinning is sometimes preferred to ensure deterministic dependency resolution. Consider using exact version pinning (e.g., `"tsx": "4.21.0"`) or ensure a lock file (`package-lock.json` or `yarn.lock`) is consistently used and committed to guarantee deterministic dependency resolution across environments. | LLM | package.json:16 |
Scan History
Embed Code
[](https://skillshield.io/report/e18d4c9e9cd764a7)
Powered by SkillShield