Skillv1.0.0

ClawScan security

SkillGuard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 11:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level purpose (pre-install scanning) aligns with its requirements, but there are documentation/instruction inconsistencies and an automatic file-write behavior that warrant caution before installing.
Guidance: SkillGuard's purpose and requested credentials make sense for running an Apify-based scan, but there are several things to check before installing: - Verify the Apify actor and owner: inspect the Apify actor (numerous_hierarchy/skill-guard-actor, ID TMjFBNFqIIUfCBf6K) on console.apify.com to review what that actor actually does and confirm you trust its owner. - Confirm webhook security: the skill requires your OpenClaw webhook URL and token. Ensure that endpoint is reachable only to trusted services and that the token is stored and transmitted securely. - Review automatic file-write behavior: the skill intends to append an install policy to a TOOLS.md file on first install. Decide whether you want a skill to modify workspace files automatically; ask the author for a prompt/consent step or change the behavior to require your explicit approval. - Fix the documentation inconsistencies: the SKILL.md references different paths for TOOLS.md and the script requires external tools (curl, jq, base64) that are not declared in metadata. Ensure those binaries exist and confirm where files will be written. - Least privilege: consider creating tokens with limited scope (if possible) rather than reusing full-power tokens. If you want to proceed: manually inspect the included scripts and the Apify actor's code/run logs, and consider running the script in a sandboxed environment first. If you are uncomfortable with automatic modifications to your workspace, ask the author to remove or make the TOOLS.md append opt-in.

Review Dimensions

Purpose & Capability: okSkillGuard claims to scan ClawHub skills using an Apify actor and Lakera Guard; the required environment variables (APIFY_TOKEN, LAKERA_API_KEY, OPENCLAW_WEBHOOK_URL, OPENCLAW_HOOKS_TOKEN) are appropriate and expected for that purpose. Requesting an Apify token as the primary credential is coherent with invoking an Apify actor.
Instruction Scope: concernThe SKILL.md and included script instruct the agent to trigger an Apify actor and receive results via an ad-hoc webhook — that is within scope. However: (1) the skill instructs an automatic 'On First Install' append of a policy to a TOOLS.md file in the workspace (modifies user files outside the skill directory); (2) there are inconsistent path references for that file ({baseDir}/../../TOOLS.md vs ~/.openclaw/workspace/TOOLS.md), which is ambiguous and risky; (3) the bundled script requires tools (curl, jq, base64/openssl, bash features) but the skill metadata declares no required binaries, an inconsistency that may cause runtime failures or hidden assumptions. The automatic, pre-response file modification is the main scope creep to review.
Install Mechanism: okNo external downloads or package installs are performed by the skill itself — it's instruction-only with one included script. The script simply calls Apify's API; there is no high-risk install mechanism (no remote archive downloads or execution of fetched code).
Credentials: noteAll four environment variables requested are relevant to the described workflow (Apify runs + webhook callback + Lakera). They are sensitive (tokens), so ensure they are stored securely. It's appropriate that APIFY_TOKEN is primary. No unrelated credentials are requested.
Persistence & Privilege: concernThe skill requests to perform an automatic write to a workspace-level TOOLS.md on first install (the SKILL.md explicitly says to do this 'automatically before responding'), which changes user workspace files outside the skill directory. Although not an elevated system privilege, this persistent modification of a user's files without a clearly documented consent step is a notable behavior and should be reviewed/approved by the user. Also, unclear path inconsistency increases risk of writing to an unexpected location.