Skillv2.2.0

ClawScan security

SecureClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 10:57 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is broadly coherent with a security/audit purpose but is intrusive (it modifies cognitive/config files that persist after uninstall), makes local changes automatically (hardening, baselines, SOUL.md edits), and includes remote advisory fetching — review and vet before running.
Guidance: What to consider before installing SecureClaw: - Functionality: The skill appears to do what it claims (audits, hardens, scans skills, privacy checks, emergency response). The bundled scripts implement those features locally — there are no required external credentials. - Intrusiveness: Installing/running the included scripts will modify your OpenClaw installation: it copies files into ~/.openclaw/skills, appends entries to TOOLS.md and AGENTS.md, creates baselines under ~/.openclaw/.secureclaw, and quick-harden.sh will modify openclaw.json and append privacy/injection directives to SOUL.md. Uninstall does not automatically remove the SOUL.md edits. Treat these as persistent configuration changes. - Network activity: check-advisories.sh fetches a remote advisory feed by default. If you are restrictive about network calls, either set SECURECLAW_FEED_URL to a vetted source or avoid running that script. - Before you run anything: read the install.sh, quick-harden.sh, and uninstall.sh to understand exact changes. Back up SOLID copies of openclaw.json, SOUL.md, and any cognitive files. Consider running the scripts in a test environment first. - If you want reduced risk: run the audit/scan scripts (quick-audit.sh, scan-skills.sh, check-privacy.sh) first in 'read-only' mode to see findings, do NOT run quick-harden.sh until you review each proposed change, and do not run install.sh unless you accept the persistent modifications. - The scanner flagged an 'ignore previous instructions' pattern; this is likely because the skill ships injection-detection regexes. Still, verify the phrase is only used for detection (not as an executable instruction).
Findings: [ignore-previous-instructions] expected: The SKILL.md/pre-scan flagged 'ignore-previous-instructions' pattern. This skill legitimately includes injection-detection patterns and grep/regexes for common prompt-injection phrases (so the phrase appearing in configs/scripts is expected). Still, presence of these strings triggered the scanner; verify the phrase only appears in detection/config contexts and not as an instruction to the agent.

Review Dimensions

Purpose & Capability: okName/description (security audit, privacy checks, supply-chain scanning, incident response) matches the included scripts and configs. The scripts perform the audits/hardening the SKILL.md promises and do not request unrelated cloud credentials or unrelated binaries.
Instruction Scope: noteSKILL.md directs the agent to run the included scripts (audit, harden, scan, emergency). The scripts do more than passive checks: quick-harden.sh will modify configs (sed on openclaw.json), create/append privacy & injection directives in SOUL.md, create baseline files, and install entries into TOOLS.md/AGENTS.md. These actions are consistent with a hardening tool but are intrusive and could change agent behavior without explicit per-change approvals unless the user inspects them first.
Install Mechanism: noteNo remote install spec (no arbitrary download/extract) — installer is a local shell copy operation (install.sh copies files into ~/.openclaw). check-advisories.sh fetches a default feed from https://adversa-ai.github.io (configurable via SECURECLAW_FEED_URL). No evidence of automatic remote code execution or use of URL shorteners, but the skill will make local filesystem changes when install.sh or quick-harden.sh are run.
Credentials: noteThe package declares no required env vars or primary credential. Scripts do read local sensitive files (openclaw.json, .env, SOUL.md, other workspace files) to perform checks and may log findings. That reading is proportional to an audit tool, but it means the scripts will access credential-bearing files (they do not require you to supply secrets explicitly).
Persistence & Privilege: concernInstaller and hardening scripts append to TOOLS.md/AGENTS.md and SOUL.md and create baselines under ~/.openclaw/.secureclaw. uninstall.sh explicitly warns it will NOT remove SecureClaw directives added to SOUL.md. That means modifications to cognitive/state files persist after uninstall and can influence agent behavior long-term. The skill is not marked always:true, but it writes persistent artifacts and registers itself in workspace files — this persistent presence is significant and warrants caution.