Security Audit

The skill claims to audit a Clawdbot deployment and ships a Node script that performs filesystem scans and system command checks — that is coherent. However, the script hardcodes CLAWDBOT_DIR = '/root/clawd' and CONFIG_DIR = '/root/clawd/skills/.env' rather than using relative paths or declared configuration. That means the script will attempt to read and potentially modify files under /root, which is a stronger privilege/scope than the SKILL.md implies. This hardcoded root path is unexpected and disproportionate to the stated one-command usage (node skills/security-audit/scripts/audit.cjs) which suggests a local, repo-scoped run.

The SKILL.md tells the agent (and user) to run the included script; the script reads many files recursively, runs system commands via execSync (ss/netstat, git), inspects .env and config files, and (per documentation) will alter file permissions and create files when run with --fix. The instructions give the agent broad discretion to scan and modify filesystem state under /root/clawd and to run native tools. The SKILL.md claims checks like 'tokens in command history' but the visible code does not show history scanning yet (script truncated) — there is a possible mismatch between documented checks and implemented ones. Overall the runtime instructions allow reading and changing sensitive files beyond the skill's own directory.

This is instruction-only with an included script file and no install spec. No external downloads or package installs are required by the skill metadata, so installation risk is low. The primary risk is the script's runtime behavior rather than any installer.

The skill declares no required environment variables or credentials, but the script will scan for API keys, tokens and secrets across files under the hardcoded /root/clawd directory and may read configuration files (e.g., .env). Asking for no credentials is reasonable for a scanner, but the scanner's implicit requirement is access to potentially sensitive files and the ability to change permissions — which is a privilege mismatch relative to the minimal declared requirements.

The skill is not force-installed (always:false) and does not request persistent agent-level privileges in metadata. However, it exposes an auto-fix mode that will modify file permissions and create files (e.g., .gitignore) when run. If the agent runs this autonomously, auto-fix could change system state. This combination (autonomous invocation allowed by default + auto-fix operations) is a meaningful risk and should be constrained (e.g., require manual confirmation, run read-only first).