Skillv1.1.0

ClawScan security

GitHub → ClawHub 一键转化发布 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 2:21 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions generally match its stated goal (convert a GitHub repo into a ClawHub skill) but contain several risky and inconsistent behaviors (undeclared token requirement, writing into /root, copying arbitrary repo files into workspace, and instructions to patch system CLI files) that are disproportionate and warrant caution.
Guidance: This skill's goal (convert a GitHub repo into a ClawHub skill and publish it) is plausible, but the runtime instructions include risky, system-level operations and an undeclared credential. Before installing/using it: - Do not hand over your CLAWHUB_TOKEN without understanding its scope; prefer a token with the minimum permissions or create a throwaway token for testing. The metadata should declare this required env var — its absence is a red flag. - Review the target GitHub repo contents manually first. The skill's workflow may copy scripts/configs from the repo into the agent workspace which could introduce malicious code or secrets. - Avoid running the automated publish flow on a host where you don't want persistent changes. Run in a sandbox/container, as a non-root user, or on an isolated machine. - Do not run the suggested sed/patch commands on global system paths (/usr/local/lib) unless you fully trust the source and understand the change; patching installed CLI files is high-risk and can break or subvert tooling. - Verify license compatibility and that the project actually fits the 'skill' model (not GPU-only, not purely frontend, not requiring complex local services). The SKILL.md lists sensible exclusion rules — follow them. - Prefer a manual publish workflow for the first few runs: generate the SKILL.md, inspect it and any bundled files, then run clawhub publish yourself rather than allowing the agent to do it autonomously. Because of the undeclared token requirement and instructions to write/modify system files and bundle arbitrary repository code into the agent workspace, treat this skill as suspicious and follow the precautions above before using it.

Review Dimensions

Purpose & Capability: concernThe high-level purpose (turn a GitHub project into a ClawHub skill and publish it) is coherent with most steps (fetch README, write SKILL.md, publish). However the SKILL.md requires a ClawHub token and exec privileges while the registry metadata declares no required env vars or binaries — this mismatch is an incoherence. Also the workflow includes copying arbitrary repository scripts/configs into the agent's skills directory, which goes beyond mere metadata conversion and may require elevated filesystem access.
Instruction Scope: concernInstructions go beyond reading README and composing metadata: they fetch remote files, create local directories under /root/.openclaw/workspace/skills, place repository scripts/config files into the skill directory, set CLAWHUB_TOKEN in the environment for publishing, and suggest automated retries via external cron bots. Most concerningly, the doc instructs patching a globally installed CLI file (search/modify publish.js under /usr/local/lib) to bypass errors/rate-limits. These actions expand scope to system modification and arbitrary code inclusion.
Install Mechanism: concernThere is no formal install spec (instruction-only), which reduces supply-chain risk, but the runtime instructions instruct modifying installed software (sed patch of publish.js under /usr/local/lib) and writing files into system paths. That behavior is effectively an installation/modification step and is high-risk because it alters third-party code on disk.
Credentials: concernThe SKILL.md explicitly requires a ClawHub API token (format clh_xxx) and uses CLAWHUB_TOKEN in publish commands, but the skill metadata lists no required env vars and no primary credential — that's an inconsistency the user should notice. Requesting a publishing token is reasonable for the stated purpose, but the guidance to set it in environment and to run automated publish steps means that token could be used by the agent to publish or overwrite content; no scope/permission guidance is given. Also copying repo contents into the skill directory raises the risk of bundling secrets or executing malicious code from the repo.
Persistence & Privilege: concernThe skill does not request 'always: true', but the runtime actions require writing persistent files into the agent's workspace (a path under /root/.openclaw) and potentially modifying global CLI files. Those are persistent, privileged changes to the host environment. Autonomous invocation is allowed by default; combined with the ability to publish and modify system files, that increases the blast radius if the skill were misused.