Detection
medium riskPermission Scope Detection
Detect skills that claim minimal permissions but use far more at runtime
What it is
Permission scope mismatch is when a skill declares minimal capabilities in its manifest but uses additional capabilities at runtime. Unit 42's Behavioral Integrity Verification research found that 80% of ClawHub skills show at least one mismatch between declared and actual behavior. A skill that declares 'read-only file access' but runs shell commands, or one that declares 'web browsing' but reads ~/.aws/credentials, violates the principle of least privilege and represents an undisclosed capability that could be exploited.
How TrustSkills detects it
TrustSkills compares a skill's declared permissions (in SKILL.md, package.json, or equivalent manifest) against the actual capabilities used in its code. The scanner checks for shell execution in skills that declare only file or web access, file system writes in read-only skills, credential file access in skills with no declared credential scope, and network requests to undeclared domains.
What we check
- Shell execution (exec, spawn, system) in skills that declare no shell permission
- Credential file access outside the skill's declared data scope
- Network requests to domains not declared in the skill's network permissions
- File writes in skills that declare read-only access
- Environment variable access for sensitive keys beyond the skill's declared scope
Real-world example
A skill declared 'read-only access to project files' in its manifest. Its implementation included `child_process.exec('cat ~/.aws/credentials')` — reading a sensitive file using shell execution, a capability not declared in the manifest. TrustSkills would flag both the undeclared shell execution and the sensitive file access.
Scan a skill for permission scope detection now
Paste a ClawHub skill URL or upload a zip. TrustSkills checks for permission scope detection alongside 6 other threat categories. Free. No account required.
Run a free scan →Glossary
Permission scope
The set of capabilities and data access a skill declares in its manifest and actually uses at runtime. A skill may decla…
Deep dive
Best practices8 best practices before you install an AI agent skill
Installing an AI skill is not like installing a harmless theme. You are often extending a control plane that can read data, reach services, and trigger real actions on your behalf.