Skillv1.0.4

ClawScan security

SealVera · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 1:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly implements an audit/tracing tool that fits its description, but there are multiple mismatches and risky behaviors (missing declared env requirements, a hard-coded API key, filesystem reads of agent transcripts, and global runtime monkeypatching) that warrant careful review before installing.
Guidance: What to consider before installing: - Metadata mismatch: the registry lists no required env vars, but the skill requires SEALVERA_API_KEY/SEALVERA_ENDPOINT/SEALVERA_AGENT. Ask the publisher to correct the metadata. - Data exfiltration risk: this skill will send agent inputs/outputs/reasoning to https://app.sealvera.com (or whichever endpoint you configure). If your agents handle sensitive data (PHI, PII, financial data), sending transcripts or factor-level values to an external service may violate policy or law (e.g., HIPAA, GDPR) unless you have an appropriate contract/BAA and configuration. - Filesystem access: setup and the watcher will read/write workspace files (AGENTS.md, SOUL.md, .sealvera.json, sealvera-log.js) and the watcher reads sessions/transcripts from the user's home directory. Review those operations and ensure you are comfortable with the changes and with transcripts being processed and potentially transmitted. - Global runtime changes: autoload and intercept scripts monkeypatch Module._resolveFilename/require cache to intercept OpenAI/Anthropic clients. That can change agent behavior across your environment and may be hard to audit or undo. Consider testing in an isolated sandbox first. - Hard-coded API key: the watcher includes a baked-in default API key; this is unexpected and should be removed. Ask the author why it exists and require it be deleted or explained prior to use. Recommendations: - Do not connect production systems (especially those handling PHI/financial PII) until you have verified the vendor, reviewed the server endpoint and DPA/BAA, and tested in a safe environment. - Request the publisher/source code origin and a verifiable homepage or vendor contact (none declared here). Prefer published/official SDKs from known vendors. - If you want to trial: use an isolated workspace and a throwaway SealVera API key with minimal privileges; run setup interactively and inspect every file it writes; grep for hard-coded secrets; run the code in a sandbox and monitor network calls. - Ask the author to fix the metadata (declare required env vars and config paths), remove hard-coded credentials, and provide an audit or third-party review of the interception/monkeypatch behavior. If you want, I can produce a short checklist of exact files and lines to inspect or a safe test plan to evaluate this skill in isolation.
Findings: [hardcoded-credential] unexpected: scripts/subagent-watcher.js contains a hard-coded default SV_KEY value (SV_KEY = 'sv_5e4735b2...'). A logging/tracing SDK might request an API key, but embedding a default secret in code is unexpected and unsafe; it could leak or be abused.

Review Dimensions

Purpose & Capability: noteThe name/description (tamper-evident audit trail) matches what the code and docs actually do: intercept LLM SDKs, log decisions to app.sealvera.com, provide helpers and a watcher. However the registry metadata declares no required env vars or credentials while the skill and reference docs clearly require SEALVERA_API_KEY and other environment config — this inconsistency is surprising and reduces trust.
Instruction Scope: concernRuntime instructions and scripts instruct the agent to run setup.js which will write files into the workspace (sealvera-log.js, .sealvera.json), patch AGENTS.md and optionally SOUL.md with mandatory logging rules, and suggest setting NODE_OPTIONS to auto-require an autoload script. The subagent-watcher reads ~/.openclaw/.../sessions.json and session transcripts and will synthesize and POST logs for missing sessions. These actions read and transmit potentially sensitive data (transcripts, inputs/outputs, possibly PHI) to an external service and impose mandatory logging in agent prompts — scope extends well beyond benign SDK-wrapping.
Install Mechanism: noteThere is no network install spec (instruction-only + included scripts), so nothing is downloaded during install. However the setup script will copy/generate files into the user's workspace and suggests runtime autoloading (NODE_OPTIONS). The code will attempt to require an external 'sealvera' SDK if present, but also generates a local sealvera-log.js helper that performs network calls.
Credentials: concernThe skill metadata declared no required env vars, but the code and docs expect SEALVERA_API_KEY (and optionally SEALVERA_ENDPOINT, SEALVERA_AGENT). The subagent-watcher includes a hard-coded default SV_KEY value in its source (a baked-in API key), which is unexpected and dangerous. The skill also reads OPENCLAW_WORKSPACE and the user's home sessions/transcripts — access to these paths is not declared in metadata and may expose sensitive data.
Persistence & Privilege: concernSetup will write config and helper files into the workspace and patch AGENTS.md and SOUL.md to enforce a mandatory logging footer. The autoload script monkeypatches module loading to intercept OpenAI/Anthropic clients at require-time and mutates require cache entries — a global runtime modification. The subagent-watcher writes state and can be run as a cron-style backstop. These changes are persistent and affect agent behavior beyond a local helper.