Skillv1.0.0

ClawScan security

Task Protection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 11:02 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions largely match a task-tracking purpose, but there are mismatches and risky choices (hard-coded API key, fixed /home/admin paths, external network calls and fixed user IDs) that are disproportionate or unexplained.
Guidance: This skill is mostly coherent with its stated purpose (task lifecycle and health checks), but I found several concerning implementation choices you should review before installing or running: - Hard-coded credential: scripts/daily-news.sh includes a TAVILY_API_KEY value embedded in source. Treat that as a secret leak risk and remove or replace it with a configurable environment variable if you intend to run the scripts. Verify whether that key is legitimate (dev/test) and whether it should be rotated. - Fixed absolute paths and user IDs: the scripts assume WORKSPACE=/home/admin/.openclaw/workspace, a specific local CLI path, and a Feishu user id. These will fail or may write/read files in an unexpected user account. Make the workspace path configurable (env var) and remove baked-in user identifiers. - External network calls: the daily-news script POSTs to https://api.tavily.com/search and fetches wttr.in. If you run the skill, those requests will leave your environment and may include embedded keys or data. Review and sanitize what is sent, and ensure you are comfortable with that external service. - System access: health-check and other scripts probe system services (systemctl), crontab, disk/memory usage and may read task files. These actions are reasonable for a health-check tool but mean the scripts will access system configuration and files—run them in a trusted or sandboxed environment first. Recommended actions before use: 1. Inspect and remove/replace any hard-coded API keys and sensitive IDs; switch to env vars (e.g., TAVILY_API_KEY, WORKSPACE) and declare them in documentation. 2. Update scripts to accept a configurable workspace root and not assume /home/admin. Test in a non-privileged sandbox first. 3. If you need the network integrations, verify the external service (tavily.com) and rotate any embedded keys; consider restricting network access or monitoring outbound traffic. 4. Review logs/state files location to ensure they do not leak sensitive content and that file permissions are appropriate. 5. If the author can confirm the embedded API key is a harmless demo key and provide a configurable path/ENV approach, my confidence would increase. Otherwise treat this skill as suspicious and audit/modify the code before running.

Review Dimensions

Purpose & Capability: noteName/description (task lifecycle + failure analysis) align with the provided shell scripts (task-utils, health checks, reports, registration). However the code embeds absolute paths (/home/admin/.openclaw/workspace), a hard-coded third‑party API key, and a fixed Feishu user id / message CLI path—these are environment-specific and not declared in the skill metadata, which is an inconsistency.
Instruction Scope: concernSKILL.md and scripts instruct writing state files (memory/tasks/*.json), logs, and manipulating a workspace — expected. But scripts also read local system state (systemctl, crontab, df, free, du), read task lists (TASKS_FILE), and call external services (tavily.com, wttr.in) and local CLI tools. Those operations are plausible for health-checks/news push, but they access system configuration and make external network requests without any declared env/config options—granting broad file and network access with hard-coded endpoints/keys.
Install Mechanism: okNo install spec (instruction-only plus shipped scripts). No downloads or external installers are run by the skill itself. Risk comes from shipped scripts that will execute on install/use, but there is no opaque install step that fetches arbitrary code.
Credentials: concernThe skill declares no required env vars, yet scripts contain a hard-coded API key (TAVILY_API_KEY) and assume a fixed workspace path (/home/admin/.openclaw/workspace) and local CLI locations. Embedding a live API key and fixed user/paths is disproportionate and risky: it may leak a credential, fail unpredictably on other systems, or cause unintended writes to /home/admin. There are also external network calls (tavily.com) that will transmit queries using that key.
Persistence & Privilege: notealways is false and the skill is user-invocable; it does not request persistent platform privileges. It writes state and log files under the assumed workspace (normal for a tracking tool). However combining autonomous agent invocation (default) with scripts that perform network calls and system checks increases blast radius if misused—this is a contextual risk, not an intrinsic privilege flag in the bundle.