Is skillvet safe?

https://clawhub.ai/oakencore/skillvet

68
CAUTION

Skillvet is a legitimate bash-based security scanner for ClawHub skills with 48 detection checks and a comprehensive test suite. However, it presents moderate risk due to: (1) opaque base64-encoded pattern files that cannot be audited and whose contents feed directly into shell commands, (2) the .skillvetrc mechanism that allows scanned skills to disable checks against themselves, and (3) the scan-remote feature that downloads arbitrary skill code to disk via clawdhub install before scanning. The skill's runtime behavior during install was clean — no network activity, no canary access, no suspicious filesystem changes.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH Shell scripts execute with full user privileges including rm -rf -20

safe-install.sh performs 'rm -rf' on skill directories. skill-audit.sh performs extensive filesystem traversal. These are powerful operations running as the user.

MEDIUM scan-remote.sh downloads arbitrary skill code to temp directory -15

Running scan-remote causes 'clawdhub install' to execute for an arbitrary slug, downloading potentially malicious code to disk before scanning.

MEDIUM Base64-encoded patterns.b64 and fixtures.b64 are not auditable -10

Core detection logic and test fixtures are base64-encoded in files not present in the evidence. Cannot verify these contain only regex patterns and not executable payloads.

MEDIUM SKILL.md contains extensive offensive security vocabulary -18

The documentation catalogs dozens of attack patterns, malware techniques, and known C2 infrastructure. While legitimate for a scanner, this content enters the agent's context window.

MEDIUM Security tool trust paradox with opaque encoded components -25

Users trust security scanners implicitly. The base64-encoded pattern file could be updated in a future version to contain malicious payloads instead of regex patterns, and the encoding provides cover.

MEDIUM Scanned skills can influence their own scan via .skillvetrc -15

A malicious skill can ship a .skillvetrc file that disables the checks it would fail, defeating the scanner.

LOW Bypass hints in false-positive exclusion logic -10

Check #9 skips prompt injection findings if the line also contains 'example', 'never', 'attack', 'malicious', 'warning', etc. This teaches attackers to include these words alongside injection text.

LOW Safe-install destroys forensic evidence after install hooks run -10

Auto-removal on critical findings deletes the skill after clawdhub install hooks have already executed, potentially destroying evidence of what those hooks did.

INFO Clean install with no network activity or canary access 0

No suspicious behavior during install. All monitoring channels show clean results.