https://clawhub.ai/api/v1/skills/clawsec-monitor/file?path=SKILL.md&version=1.0.0
github.com/clawhub.ai/clawsec-monitor
Scanned Thu, 28 May 2026 17:01:19 GMT
Scan ID crawl-hv5svh2476a90pmv66ehoc6y · 1ms
C
SCORE 55 / 100
Verdict: Proceed with caution
3 high-severity findings.
This skill runs unsafe shell commands plus 3 other issues listed below.
0 critical3 high1 medium8 rules passed
Why grade C?
score · 55 / 100The current grade reflects 3 high-severity findings (3+ HIGHs → C).
0 CRIT3 HIGH1 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 1 of 3 HIGH (cap is 2).
- AReach Atarget score 95
Resolve all 3 HIGH.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
highDangerous shell pattern: curl | shellThe skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.▾
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
137| Pattern | Matches |
138|---|---|
139| `pipe_to_shell` | `curl <url> \| bash`, `wget <url> \| sh` |← curl | shell — common in destructive or supply-chain attacks
140| `shell_exec` | `bash -c "..."`, `sh -i "..."` |
141| `reverse_shell` | `nc <host> <port>`, `netcat`, `ncat` |
highDangerous shell pattern: rm -rf /The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.▾
Dangerous shell pattern: rm -rf /
The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.
140| `shell_exec` | `bash -c "..."`, `sh -i "..."` |
141| `reverse_shell` | `nc <host> <port>`, `netcat`, `ncat` |
142| `destructive_rm` | `rm -rf /` |← rm -rf / — common in destructive or supply-chain attacks
143| `ssh_key_inject` | `echo ssh-rsa` (SSH key injection) |
144
highSensitive filesystem path referencedThe skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
130| `private_key_pem` | `-----BEGIN RSA/OPENSSH/EC/DSA PRIVATE KEY-----` |
131| `ssh_key_file` | `.ssh/id_rsa`, `.ssh/id_ed25519`, `.ssh/authorized_keys` |
132| `unix_sensitive` | `/etc/passwd`, `/etc/shadow`, `/etc/sudoers` |← sensitive path — credential-exfiltration vector
133| `dotenv_file` | `/.env`, `/.aws/credentials` |
134| `ssh_pubkey` | `ssh-rsa <key>` (40+ chars) |
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-hv5svh2476a90pmv66ehoc6y