ClawAudit verdict
skill-risk-auditor
The skill appears to be designed for auditing skills, with no clear evidence of malicious behavior.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (9)
Instruction-prose smuggling shape detected: collects a sensitive target ("environment variables") and emits it outward ("post"). Phrased as prose with no trigger tokens — a semantic prompt-injection / data-exfil pattern the syntactic scanners can't see. Final tier capped at Caution; review the instructions before installing.
SKILL.md · - **Direct data access:** Which files, settings, environment variables, and secrets does the skill read? Is this access proportionate to its stated purpose? - *
Accesses .ssh directory
SKILL.md · prose · downgraded · .ssh/
Instructs covert action — may act without user awareness
SKILL.md · prose · downgraded · silently
Accesses system credential store
SKILL.md · prose · downgraded · keychain
Accesses cloud provider credentials
SKILL.md · prose · downgraded · ~/.aws
Accesses Kubernetes config (may contain cluster credentials)
SKILL.md · prose · downgraded · ~/.kube/config
References sudo — requests elevated privileges
SKILL.md · prose · downgraded · sudo
Base64 encoding/decoding
SKILL.md · prose · downgraded · base64-encode
References agent memory files
SKILL.md · prose · downgraded · MEMORY.md
Permissions & capabilities
No declared permissions — minimal attack surface.
network_in Is this flag fair?
Thanks — recorded.