Skillv1.0.0

ClawScan security

OpenClaw Safe Upgrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 1:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (safe upgrade/rollback) matches the included script, but there are several mismatches and risky behaviors (undeclared tool dependencies, execution of optional workspace hooks, assumptions about filesystem permissions and config contents) that you should understand before using it.

Review Dimensions

Purpose & Capability: concernThe skill claims to perform a safe OpenClaw upgrade — and the bundled script does exactly that. However the skill metadata declares no required binaries or environment variables while the script relies on many external tools (npm, python3, systemd-run/systemctl, curl, tar, openclaw CLI, pkill, etc.). Those undeclared dependencies are a capability–purpose mismatch and should have been listed in requires.binaries. Also the script reads and writes many OpenClaw files (configs, crons, installation directories) which is consistent with an upgrade but increases the blast radius if misused.
Instruction Scope: concernSKILL.md and the script stay within the stated upgrade task, but the script also conditionally runs 'optional hooks' found in the workspace (golden-snapshot.sh, service-quick-check.py). Executing arbitrary files from a user's workspace during an upgrade can run arbitrary code and is a notable risk unless you explicitly control those files. The script also reads config files (openclaw.json, cron jobs, acpx config) which may contain secrets/tokens; while it doesn't appear to send them externally, reading them is necessary for the task but should be noted.
Install Mechanism: noteThere is no install spec (instruction-only + bundled script), which is low risk in terms of supply-chain downloads. However the runtime does perform network operations (npm view / npm i -g) and extracts tarballs into system paths — these are network-backed actions executed at runtime rather than via a controlled installer. The lack of an install step is expected for an instruction-only skill, but you should be aware the script will contact npm and perform global installs.
Credentials: concernThe skill declares no required env vars, but the script uses _UPGRADE_FORCE_ESCAPE / _UPGRADE_ESCAPED (control flags) and optionally OPENCLAW_WORKSPACE; it also reads $HOME/.openclaw/openclaw.json and other user files which may contain gateway auth tokens. Not declaring required binaries and not warning about possible sensitive config reads is a proportionality issue: upgrading reasonably needs access to install/config files, but the metadata should state this and request explicit user consent.
Persistence & Privilege: noteThe skill does not request always:true and does not try to permanently enable itself; it creates files under the user's home (~/.openclaw/upgrade-backups, result/log files) and launches a transient systemd user scope to survive gateway restart. Those behaviors are coherent with an upgrade tool. One practical concern: the script writes/extracts into /usr/lib/node_modules/ (global install path) and expects to be able to start/stop systemd services — this implies it assumes the running user has permission to manage the OpenClaw installation and systemd units. That privilege assumption is not declared and may fail or require elevation.
scan_findings_in_context: note