clawhub-publish-conventions@ 1.1.0

github.com/clawhub.ai/clawhub-publish-conventions
Verdict: Proceed with caution
0 critical0 high7 medium
C
SCORE 55 / 100
$skillox install clawhub-publish-conventionsSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade C?

score · 55 / 100

The current grade reflects 7 medium findings (6+ MEDs → C).

0 CRIT0 HIGH7 MED0 LOW
To reach a higher grade
  • B
    Reach Btarget score 75

    Resolve 2 of 7 MED (cap is 5).

  • A
    Reach Atarget score 95

    Resolve 5 of 7 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-h9jitlof0ot4s1a2zvd92fwp · Thu, 28 May 2026 16:35:06 GMT · 3ms

med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 174CWE-78
172 return safe
173
174# Apply to every subprocess.run, subprocess.Popen, os.exec* callspawns a subprocess outside declared capabilities
175subprocess.run(cmd, env=_build_safe_env(), ...)
176```
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 175CWE-78
173
174# Apply to every subprocess.run, subprocess.Popen, os.exec* call
175subprocess.run(cmd, env=_build_safe_env(), ...)spawns a subprocess outside declared capabilities
176```
177
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 189CWE-78
187# Safe: argument list form
188cmd = [DOCKER_BIN, "run", "--rm", "--network=none", "-v", f"{path}:/sandbox:ro", image_name]
189subprocess.run(cmd, env=safe_env, timeout=300)spawns a subprocess outside declared capabilities
190```
191
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 198CWE-78
196grep -rn "shell=True" scripts/ # should return nothing
197
198# Verify: all subprocess.run calls pass env=spawns a subprocess outside declared capabilities
199grep -rn "subprocess.run" scripts/ | grep -v "env=" # should return nothing
200```
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 199CWE-78
197
198# Verify: all subprocess.run calls pass env=
199grep -rn "subprocess.run" scripts/ | grep -v "env=" # should return nothingspawns a subprocess outside declared capabilities
200```
201
med
Arbitrary subprocess execution detected
The skill spawns subprocesses. Without a capability manifest declaring this, the skill could execute arbitrary commands.
rule: subprocess-executionline: 226CWE-78
224| `--dry-run` doesn't exist | No preview mode, publish directly |
225| Scanner says "required binaries: none" | Add `metadata.required_binaries` (not just `required_commands`) |
226| Scanner says "could expose host secrets" | Add `_build_safe_env()` with whitelist, pass `env=` to all subprocess.run |spawns a subprocess outside declared capabilities
227| Scanner says "shell injection" | Replace shell=True f-strings with argument lists |
228| Scanner says "truncated/omitted files" | Ensure all .py scripts have docstrings the scanner can read |
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/clawhub-publish-conventions