https://clawhub.ai/api/v1/skills/clawsec-bak/file?path=SKILL.md&version=1.0.0
github.com/clawhub.ai/clawsec-bak
Scanned Thu, 28 May 2026 17:10:29 GMT
Scan ID crawl-uwejklj5tsw7e2urk7g6urkz · 1ms
C
SCORE 55 / 100
Verdict: Proceed with caution
3 high-severity findings.
This skill runs unsafe shell commands plus 3 other issues listed below.
0 critical3 high1 medium8 rules passed
Why grade C?
score · 55 / 100The current grade reflects 3 high-severity findings (3+ HIGHs → C).
0 CRIT3 HIGH1 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 1 of 3 HIGH (cap is 2).
- AReach Atarget score 95
Resolve all 3 HIGH.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
highDangerous shell pattern: curl | shellThe skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.▾
Dangerous shell pattern: curl | shell
The skill contains a shell command pattern (`curl | shell`) commonly used in destructive or supply-chain attacks.
31| Pattern name | What it matches |
32|---|---|
33| `pipe_to_shell` | `curl <url> \| bash`, `wget <url> \| sh` |← curl | shell — common in destructive or supply-chain attacks
34| `shell_exec` | `bash -c "..."`, `sh -i "..."` |
35| `reverse_shell` | `nc <host> <port>` / `netcat` / `ncat` |
highDangerous shell pattern: rm -rf /The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.▾
Dangerous shell pattern: rm -rf /
The skill contains a shell command pattern (`rm -rf /`) commonly used in destructive or supply-chain attacks.
34| `shell_exec` | `bash -c "..."`, `sh -i "..."` |
35| `reverse_shell` | `nc <host> <port>` / `netcat` / `ncat` |
36| `destructive_rm` | `rm -rf /` |← rm -rf / — common in destructive or supply-chain attacks
37| `ssh_key_inject` | `echo ssh-rsa` (SSH key injection attempt) |
38
highSensitive filesystem path referencedThe skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`\/etc\/passwd`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
24| `private_key_pem` | `-----BEGIN RSA/OPENSSH/EC/DSA PRIVATE KEY-----` |
25| `ssh_key_file` | `.ssh/id_rsa`, `.ssh/id_ed25519`, `.ssh/authorized_keys` |
26| `unix_sensitive` | `/etc/passwd`, `/etc/shadow`, `/etc/sudoers` |← sensitive path — credential-exfiltration vector
27| `dotenv_file` | `/.env`, `/.aws/credentials` |
28| `ssh_pubkey` | `ssh-rsa <key>` (40+ chars) |
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-uwejklj5tsw7e2urk7g6urkz