Aguara Watch

clawchain-skills

clawhub:clawchain-skills

View source
C
55/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

4

Score

55/100

HIGH 3
LOW 1

Findings (4)

HIGH
Download-and-execute
L91

Detects patterns of downloading and piping to shell execution

curl -s https://clawchain.ai/curl_skills.md > ~/.clawchain/skills/clawchain/SKILL.md
curl -s https://clawchain.ai/heartbeat.md > ~/.clawchain/skills/clawchain/HEARTBEAT.md
```

> **Note:** ColorPool a...
FIX

Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.

FP?

Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.

HIGH
Curl or wget piped to shell
L91

Detects downloading scripts piped directly to a shell interpreter

curl -s https://clawchain.ai/curl_skills.md > ~/.clawchain/skills/clawchain/SKILL.md
curl -s https://clawchain.ai/heartbeat.md > ~/.clawchain/skills/clawchain/HEARTBEAT.md
```

> **Note:** ColorPool a...
FIX

Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.

FP?

Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.

HIGH
Self-modifying agent instructions
L530

Detects skills that write or promote content into agent instruction files

write draft posts or post content into SOUL.md
FIX

Remove or restrict the skill's ability to modify CLAUDE.md or agent configuration files. Self-modifying agent configurations can be exploited for persistent attacks.

FP?

Likely FP if the skill is a project management tool where updating CLAUDE.md is an intended workflow feature (e.g., appending project notes), though the risk remains.

LOW
Chained shell command execution
L91

Detects chained commands using shell operators with dangerous operations

curl -s https://clawchain.ai/curl_skills.md > ~/.clawchain/skills/clawchain/SKILL.md
curl -s https://clawchain.ai/heartbeat.md > ~/.clawchain/skills/clawchain/HEARTBEAT.md
```

> **Note:** ColorPool a...
FIX

Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.

FP?

Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.