Skillv2.1.0

ClawScan security

Visa · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 4:37 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description promises a multi-file visa guidance system with local data storage and many helper scripts, but the package only contains a single benign-looking script and missing referenced scripts/docs — the packaging is incomplete or inconsistent.
Guidance: This package is incomplete: SKILL.md promises multiple scripts and local data files but only scripts/identify_visa.py is present. The single script is benign-looking (prints visa recommendations, no network or credential access), but the missing scripts mean the skill will not provide the checklist, timeline tracking, or interview prep claimed. Before installing or using: 1) ask the publisher for the missing scripts and reference files or for a corrected SKILL.md; 2) verify where the skill will store data (~/.openclaw/workspace/memory/visa) and whether that location is acceptable for sensitive documents; 3) if you need the full feature set, only proceed when the package actually contains the supporting scripts (and review them for network access or credential use); 4) if unsure, test in a controlled environment (or sandbox) and avoid placing real passport/citizenship documents into the skill until you confirm its behavior.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes multiple workflows and scripts (build_checklist.py, track_timeline.py, prep_interview.py, log_application.py, check_deadlines.py, compare_visas.py, document_status.py) and many reference markdown files, but the bundle only contains one script (scripts/identify_visa.py) and two files total. Either the skill is incomplete, or the SKILL.md was copied from a larger project. Requiring a full document-tracking/timeline system would legitimately need many supporting files; those are missing, so the claimed capability is not present.
Instruction Scope: concernInstructions state that all visa data is stored locally (memory/visa/) and list many scripts to run for logging, tracking and checklist generation. The included identify_visa.py only prints recommendations to stdout, does not read or write the declared memory files, and never calls its ensure_dir() function — so the runtime behavior described in SKILL.md (local persistent storage, timeline checks, checklists, interview prep) is not implemented by the provided code. No instructions reference external endpoints or credentials, which is appropriate, but the SKILL.md gives an operational scope that the package does not actually implement.
Install Mechanism: okNo install spec is provided (instruction-only with one included script). That is low-risk because nothing is downloaded or executed on install beyond the provided files.
Credentials: noteThe skill requires no environment variables or external credentials, which is appropriate for an offline helper. The script references a path in the user's home (~/.openclaw/workspace/memory/visa) for local storage; storing sensitive visa documents locally is expected for this use-case but is a privacy consideration — users should confirm where the agent stores data and ensure it is acceptable.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated privileges. It claims to store data locally under an agent workspace path; that is normal for a stateful skill, but the provided code does not actually persist data. Autonomous invocation remains enabled by default (not a problem by itself).