ClawAudit verdict
context-engineering-collection
agent-skills-context
This skill seems to provide general guidance and information about context engineering for AI agents. It does not appear to use any capabilities in a way that would be considered risky or dangerous.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (18)
Raw model control tokens — prompt injection via token manipulation
examples/book-sft-pipeline/references/tinker-format.md · code · <|im_start|>
Possible hardcoded credential
examples/interleaved-thinking/docs/interleavedthinking.md · code · api_key="<api-key>
Uses exec() — may execute shell commands
skills/hosted-agents/references/infrastructure-patterns.md · code · exec(
Pipe to python — executes piped content as Python code
examples/digital-brain-skill/SKILLS-MAPPING.md · prose · downgraded · | Python
Uses eval() — can execute arbitrary code
examples/interleaved-thinking/examples/03_full_optimization.py · prose · downgraded · eval(
Fake system prompt — attempts to inject instructions
examples/interleaved-thinking/SKILL.md · code · System: You are
subprocess execution — runs system commands from Python
skills/filesystem-context/references/implementation-patterns.md · code · subprocess.run(
subprocess with shell=True — command injection vector
skills/filesystem-context/references/implementation-patterns.md · code · subprocess.run(
command,
shell=True
os.system/popen — direct OS command execution
skills/hosted-agents/references/infrastructure-patterns.md · code · os.system(
Instructs covert action — may act without user awareness
docs/compression.md · prose · downgraded · silently
Popular HTTP library — network access
examples/book-sft-pipeline/examples/gertrude-stein/sample_outputs.md · code · got
References agent configuration files
examples/llm-as-judge-skills/README.md · code · AgentConfig
Python shutil file operation — copies/moves/deletes files
skills/project-development/references/pipeline-patterns.md · code · shutil.rmtree(
Opens WebSocket connection
skills/hosted-agents/references/infrastructure-patterns.md · code · WebSocket
Python aiohttp session — async network access
skills/hosted-agents/references/infrastructure-patterns.md · code · aiohttp.ClientSession
Python os.getenv — reads environment variable
examples/interleaved-thinking/examples/01_basic_capture.py · prose · downgraded · os.getenv(
Python os.environ.get — reads environment variable
examples/interleaved-thinking/reasoning_trace_optimizer/analyzer.py · prose · downgraded · os.environ.get(
Accesses sensitive environment variables
examples/llm-as-judge-skills/src/config/index.ts · prose · downgraded · process.env.OPENAI_API_KEY
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
Is this flag fair?
Thanks — recorded.