Skillv1.0.0

ClawScan security

OpenClaw Soul Weaver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 12:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (generating agent configuration files) but has a few inconsistencies and choices that broaden its scope (external third‑party API usage, file-write permissions, auto-triggers and a misleading claim about replacing system files) that you should review before installing.
Guidance: This skill appears to do what it says (generate OpenClaw config files) but relies on a third‑party web service (sora2.wboke.com) and requests file-read/write permissions and auto-trigger patterns. Before installing: (1) confirm you trust the external API (review privacy/terms) because user inputs and generated configs are POSTed there; (2) clarify the apparent mismatch about 'replacing system files' — the code does not overwrite system config files, but the description implies it might; (3) confirm and, if needed, restrict file-write paths (avatars and workspace) so it can't write outside expected directories; (4) be aware the skill can auto-trigger on common phrases — if you want to avoid unexpected runs, disable/limit triggers or require explicit invocation; (5) test it in an isolated environment first and inspect what data is sent to the remote endpoint. If you want, I can draft concrete questions to ask the skill author (e.g., explain file-write scope, provide privacy policy for sora2.wboke.com, and reconcile SKILL.md vs clawhub.yaml permissions).
Findings: [external-api-calls-fetch] expected: index.js uses fetch to call https://sora2.wboke.com/api/v1/generate and /api/generate-image. External network calls are expected for a remote generation service, but you should review what user input is sent and whether you trust that third party. [file-write-permissions-declared] expected: clawhub.yaml and package.json declare file-write/read permissions and target /avatars/* and workspace paths. This is consistent with avatar saving and zip export, but SKILL.md frontmatter lists only network — the discrepancy should be clarified. [no-static-injection-signals] expected: Pre-scan injection signals were not detected; however absence of regex matches is not a guarantee of safety — runtime behavior (network POSTs) is the main surface here.

Review Dimensions

Purpose & Capability: noteThe name/description claim (generate OpenClaw agent configurations) aligns with the code and SKILL.md: the handler calls an external generation API and returns a set of configuration files. However the description repeatedly says it will 'replace system files' or 'replace system files to instantly professionalize your OpenClaw' — the implementation does not show any code that overwrites system or agent config files (it only returns files and logs an avatar save path). Also SKILL.md frontmatter lists only network permission, while clawhub.yaml/package.json also declare file-read/file-write — this mismatch should be clarified.
Instruction Scope: noteInstructions direct the agent to POST user input to an external API (sora2.wboke.com) and to optionally call an image-generation endpoint; they also require auto-including other tools (find-skills, autoclaw, brave-search). The runtime instructions and code do not attempt to read unrelated system files or request secrets, but they do request file-write permissions (avatars) and define auto-trigger patterns that can cause automatic invocation when users say certain phrases. The frontmatter permissions in SKILL.md (network only) differ from other manifests that include file-read/write; you should confirm intended permissions and triggers.
Install Mechanism: okThis is effectively instruction + small JS handler with no install spec and no third-party packages (dependencies empty). No downloads or obscure install URLs are used. That keeps install risk low.
Credentials: noteThe skill does not require credentials or secrets. It does allow overriding API_BASE_URL via env, which can point the code to any endpoint (default is https://sora2.wboke.com). That is reasonable for a generator but means network traffic and user-provided inputs will be sent to an external service — confirm that you trust that endpoint and its privacy policy.
Persistence & Privilege: notealways:false (good). But clawhub.yaml includes trigger patterns that can auto-invoke the skill when users use common phrases; combined with required file-write permissions this means the skill could run and request generation/downloads and save avatars without an explicit install-time consent each time. The skill also auto-includes other tools in generated configs; that can broaden the agent's capabilities indirectly. No evidence the skill modifies other skills or system-wide settings.