Skillv1.0.8

ClawScan security

Safe-Web · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 3:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and runtime instructions are coherent with its stated purpose (fetch + scan web content) and request only proportional resources (PromptGuard, Python deps, optional Brave API key).
Guidance: This skill appears coherent and implements what it claims: fetching HTML, extracting text, and scanning with PromptGuard. Before installing: 1) Review and trust the PromptGuard dependency (it's the core scanner); 2) Prefer a virtualenv/container rather than system-wide pip installs or --break-system-packages to avoid altering host Python; 3) Be cautious before creating a system symlink or disabling native web tools — those change system behavior and may affect other workflows; 4) Only provide BRAVE_API_KEY if you need search functionality and trust the environment; 5) If you want extra assurance, inspect the prompt-guard code and run safe-web in an isolated environment to confirm no unexpected network exfiltration. The pre-scan injection flag in the docs is explanatory, not an active instruction.
Findings: [ignore-previous-instructions] expected: The SKILL.md/README describe prompt-injection patterns (including 'ignore previous instructions') as examples of threats to detect. This is a documentation occurrence, not an instruction to the agent or evidence of malicious intent.

Review Dimensions

Purpose & Capability: okName and behavior align: the tool fetches HTML, extracts text, and scans with PromptGuard. Declared requirements (python3, prompt-guard, requests, beautifulsoup4, optional BRAVE_API_KEY) match the implemented functionality. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md and README contain only fetch/search/scanning instructions and install guidance. They do recommend creating a system symlink (/usr/local/bin) and suggest disabling native web_fetch/web_search in OpenClaw config to force use of safe-web — these are user-facing operational changes (not automatically performed) and are reasonable for a drop-in replacement but worth reviewing before applying. The pre-scan flag ('ignore-previous-instructions') appears in the docs as an example of an attack pattern, not as an instruction to the agent.
Install Mechanism: noteInstall uses pip to install standard packages and an editable install of a local PromptGuard workspace. This is a common approach for Python-based tools, but pip installs (and the SKILL.md's use of --break-system-packages) can modify system Python state — consider using a virtualenv or container to avoid impacting the host environment. No arbitrary remote download or obfuscated installer was observed.
Credentials: okOnly one optional environment variable (BRAVE_API_KEY) is referenced and justified for search functionality. The code does not request other secrets or config paths. skill.json declares python3 and dependency on prompt-guard, which are appropriate.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or agent configuration automatically. It recommends (but does not force) disabling native tools and creating a symlink; those are user actions and not implicit privileges.