ClawSkillShield
ReviewAudited by ClawScan on May 10, 2026.
Overview
This local scanner is mostly coherent and has no network behavior, but its autonomous quarantine feature can move or replace local folders without clear safeguards.
Review before installing if you plan to let an agent use it automatically. Manual scanning appears purpose-aligned and local, but do not enable automatic quarantine unless paths are restricted and you have backups or an undo process. Treat generated reports as sensitive because they can include partial secret values.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous call could move a normal local folder or replace an existing quarantined copy, breaking the user's setup or causing data loss until manually restored.
The quarantine API accepts an arbitrary path, deletes any existing quarantine target with the same basename, and moves the supplied path. The code does not validate that the path is an OpenClaw skill, ask for approval, or provide an undo mechanism.
def quarantine(path: str) -> str:
"""Quarantine a risky skill – agents can call this autonomously."""
...
if os.path.exists(target):
shutil.rmtree(target, ignore_errors=True)
shutil.move(path, target)Require explicit user confirmation for quarantine, restrict actions to known skill directories, use timestamped quarantine targets instead of deleting collisions, and provide dry-run and restore commands.
Users may trust an agent to take file-moving actions automatically based on scanner output, even when a false positive or wrong path could disrupt local files.
The documentation presents autonomous quarantine as safe, but the implementation lacks guardrails for path scope, confirmation, collision handling, or reliable policy enforcement.
Auto-quarantine on detection
if risk_score < 4:
quarantine("/path/to/skill")
...
(Safe for agents to auto-trigger on HIGH RISK)Reword the guidance to require human approval for destructive or mutating actions, and document the limitations and recovery process clearly.
If scan reports are pasted into chats, logs, or tickets, they may reveal part of a real secret found in the scanned files.
The scanner intentionally searches selected files for secrets and includes part of the matched value in the generated report. This is expected for a security scanner, but the report may contain sensitive credential fragments.
"AWS Access Key": r"AKIA[0-9A-Z]{16}",
"Generic API Key": r"(?i)(api_key|apikey|secret|token).{0,30}['\"][a-z0-9]{32,45}['\"]",
...
description=f"{match.group()[:30]}..."Treat scan reports as sensitive and consider redacting matched secret values by default while still showing file and line information.