Skills
skills/prompt-security/clawsec/clawsec-clawhub-checker/Gen Agent Trust Hub

clawsec-clawhub-checker

Pass

Audited by Gen Agent Trust Hub on Feb 24, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The scripts interact with the clawhub CLI using spawnSync. Robust regex validation is applied to skill names and versions to prevent shell injection attacks.
  • [EXTERNAL_DOWNLOADS]: Fetches reputation metadata from the ClawHub registry to assess skill safety.
  • [DYNAMIC_EXECUTION]: The setup script modifies the handler logic of the clawsec-suite skill to inject reputation-checking hooks during installation.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data from clawhub CLI output. Evidence Chain: 1. Ingestion points: check_clawhub_reputation.mjs. 2. Boundary markers: None. 3. Capability inventory: spawnSync calls in check_clawhub_reputation.mjs. 4. Sanitization: Uses JSON.parse and strict regex validation on command arguments.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 24, 2026, 02:01 PM