Back to skill
Skillv2.0.0
ClawScan security
Agent Builder Repo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 2:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only authoring helper for creating OpenClaw agent workspaces; its requirements and instructions are coherent and proportionate to that purpose.
- Guidance
- This skill is a template-and-checklist authoring helper and appears safe to install: it asks only for conversational input and generates workspace files based on included templates. Before using in production, review generated files (SOUL.md, AGENTS.md, HEARTBEAT.md, MEMORY.md) to ensure they don't accidentally include sensitive information and to confirm safety rules meet your policies. Note that a reference file mentions an external API hub (api.heybossai.com) purely as background; if you or a developer extend the agent to call external services, require explicit configuration and minimal credentials, and audit any network endpoints the agent will call.
Review Dimensions
- Purpose & Capability
- okName/description match the actual content: an authoring workflow, templates, and checklists for OpenClaw agent workspaces. It does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- okSKILL.md restricts activity to interviewing the user, producing workspace files from local templates, running acceptance tests, and suggesting diffs. It does not instruct the agent to read arbitrary host files, access credentials, or reach out to external endpoints as part of its default workflow.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk by an installer, which minimizes supply-chain risk.
- Credentials
- noteSkill requires no environment variables or credentials. One reference file (architecture.md) mentions a third-party API hub (https://api.heybossai.com/v1/pilot) as background/context; that mention is informational and not required by the skill, but it could prompt a developer to wire external integrations later—ensure any added integrations request only the minimum credentials and you review them.
- Persistence & Privilege
- okalways is false, no install spec, and the skill does not request persistent privileges or attempt to modify other skills or system-wide agent settings.