Skillv1.0.3

ClawScan security

Soul Weaver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 7:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (local template generation + optional cloud generation), but there are multiple inconsistencies and transparency gaps — notably an undocumented cloud API endpoint/credential flow, mixed claims about privacy/local-only behavior, and mismatched metadata — so inspect before trusting it with real data or credentials.
Guidance: This skill appears to implement local persona/template generation and an optional cloud generation feature. Before installing or using it with real data: 1) Review index.js (and backup) to confirm exactly what data would be sent to the external endpoint (sora2.wboke.com) and whether that endpoint is trustworthy. 2) Do not provide API keys or sensitive data to the skill until you verify the cloud service's privacy policy and ownership. 3) Because the README claims 'privacy first' yet code supports a cloud API, treat the local mode and cloud mode differently: prefer local template mode when you need privacy. 4) Test in an isolated workspace (backup your real workspace) — the skill writes core files to the workspace root and recommends overwriting them. 5) Check bundled scripts (assets/cron-templates, scripts/security-audit.sh) before executing them. 6) If you need a higher assurance level, ask the publisher for clarification about the cloud API, required credentials, and exact telemetry or logging behavior; if that cannot be provided, consider using only the included local templates or manually copying the templates rather than invoking cloud generation.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (generate persona/config files from celebrity templates) matches the code and bundled templates: it reads template files and writes them to the user's workspace. However there are inconsistencies: some files and comments claim 12 templates while other files (index/backup, README, welcome message) reference 36 templates. The README/SKILL.md also advertise 'privacy first / your data stays local' even though the code and examples describe an optional cloud API (sora2.wboke.com) for custom generation. These mismatches are not outright malicious but reduce trust and clarity.
Instruction Scope: noteRuntime instructions and SKILL.md primarily operate on workspace files (SOUL.md, IDENTITY.md, MEMORY.md, etc.) and recommend copying/writing files into the user's OpenClaw workspace — this is consistent with the skill’s purpose. But SKILL.md and code support an optional cloud generation mode that will send user-provided inputs (aiName, custom answers, etc.) to an external API endpoint; that external network activity is within the declared permissions but contradicts the 'privacy first' marketing language. The SKILL.md does not instruct reading unrelated system files or credentials, so scope creep is limited to the cloud API option.
Install Mechanism: okThere is no external install/download step in the manifest (no remote archive or install URL). The package is delivered with source files bundled. That lowers supply-chain risk compared with arbitrary network installs. The repository includes shell scripts and cron templates but they are not automatically installed or executed by an install mechanism in the registry metadata.
Credentials: concernThe registry metadata lists no required environment variables or primary credential, but the code and README show an optional cloud mode that requires an API key parameter and references an external endpoint (sora2.wboke.com). That credential requirement is not declared in the skill metadata (or as primaryEnv), making the permission/credential model unclear. The skill requests network + filesystem permissions (appropriate for its features) but the undocumented cloud API and how user data is sent there is a transparency gap and a proportionality concern.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated persistent presence. It reads/writes files in the user's OpenClaw workspace (documented by the SKILL.md), which is expected for this functionality. There is no evidence it modifies other skills' configurations or system-wide settings.