Trust Assessment
clawhub received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Excessive Permissions and Command Execution Capability, Unpinned Dependency and External Code Execution from Untrusted Registry, Potential Data Exfiltration via `clawhub publish`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Permissions and Command Execution Capability The skill installs the `clawhub` CLI globally via `npm`, granting it broad system access. It then uses this CLI to perform high-privilege operations such as installing new skills from an external registry (`clawhub install`) and publishing local directories (`clawhub publish`). This capability allows the agent to execute arbitrary commands on the host system and introduce new code, posing a significant security risk if the agent is compromised or prompted maliciously. Arguments passed to `clawhub` commands, if derived from untrusted input, could lead to command injection. Re-evaluate the necessity of global installation and the broad scope of operations. Consider sandboxing the `clawhub` CLI execution, restricting its access to specific directories, or requiring explicit user confirmation for sensitive operations like `install` and `publish`. Implement strict input validation and sanitization for any arguments passed to `clawhub` commands that originate from untrusted sources. | LLM | SKILL.md:5 | |
| HIGH | Unpinned Dependency and External Code Execution from Untrusted Registry The skill's manifest specifies the installation of the `clawhub` npm package without a specific version pin (`'package': 'clawhub'`). This means `npm i -g clawhub` will always fetch the latest version, making the skill vulnerable to malicious updates or maintainer compromise of the `clawhub` package. Furthermore, the `clawhub install` command, as shown in the skill documentation, fetches and executes skills from an external registry (`clawhub.com`), introducing a dependency on a potentially untrusted source of code. A compromised registry or a malicious skill published there could lead to arbitrary code execution on the host system. Pin the `clawhub` npm package to a specific, known-good version in the manifest (e.g., `'package': 'clawhub@1.2.3'`). Implement robust validation and scanning for skills fetched from `clawhub.com` before installation. Consider using a private, trusted skill registry or requiring manual review for new skill installations. | LLM | Manifest:6 | |
| MEDIUM | Potential Data Exfiltration via `clawhub publish` The `clawhub publish` command allows uploading local directories (e.g., `./my-skill`) to an external service. If the agent is prompted maliciously, this command could be abused to exfiltrate sensitive local files or entire directories from the host system to an attacker-controlled endpoint or a public registry. Implement strict access controls or user confirmation for the `clawhub publish` command, especially when publishing content from sensitive directories. Restrict the directories from which `publish` can operate, or ensure that the agent cannot be prompted to publish arbitrary paths. | LLM | SKILL.md:30 | |
| MEDIUM | Credential Exposure Risk via `clawhub login` The `clawhub login` command is used for authentication and likely handles sensitive credentials or API tokens. If the agent is prompted to use this command with untrusted input, or if the `clawhub` tool itself is compromised, it could lead to the exposure or harvesting of authentication credentials. Ensure that authentication tokens are stored securely (e.g., in a credential manager) and are not directly exposed to the agent or command line. Implement safeguards to prevent the agent from being prompted to log in with untrusted credentials or to display sensitive authentication information. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/a1d60e4d2768874a)
Powered by SkillShield