Skillv1.1.0

ClawScan security

Openclaw Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 8:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with being an OpenClaw admin/expert guide, but the runtime instructions include high‑risk operations (remote script execution, systemctl, /etc/hosts edits, references to credentials and env vars) and a prompt‑injection pattern was detected — review before allowing autonomous execution or supplying secrets.
Guidance: This is a documentation-heavy, admin-focused skill that is internally consistent with managing OpenClaw, but it contains many actionable system-level commands and references to credentials. Before installing or enabling autonomous invocation: 1) Do NOT supply real API keys or gateway tokens to the skill until you audit the exact instructions. 2) Disable autonomous execution (or require manual approval) if you don't want the agent to run shell commands or modify system files. 3) Search SKILL.md for any 'curl | bash' or host-file edits and avoid running those unreviewed; prefer official release assets from known registries. 4) Run this skill in a sandboxed environment (container or VM) and keep ~/.openclaw and credential files permissioned. 5) If you plan to let the agent perform actions, grant least privilege: avoid mounting docker.sock or broad bind-mounts and avoid giving gateway tokens to untrusted skills. If you want, I can point to the exact lines that show high-risk commands (curl|bash, systemctl, /etc/hosts edits, docker-socket mounts) for manual review.
Findings: [system-prompt-override] unexpected: The regex scanner flagged a 'system-prompt-override' pattern in SKILL.md. As an admin guide, the skill may need to show how to configure agent prompts, but any content that looks like instructions to override the agent/system prompt can be a prompt-injection vector. Treat this as a signal to inspect the specific text before allowing the skill to run autonomously.

Review Dimensions

Purpose & Capability: okName/description match the contents: this is a docs-first, admin/operator guide for self‑hosted OpenClaw. The commands, config paths (~/.openclaw/*), channel setup, Docker and sandbox instructions are all expected for that purpose.
Instruction Scope: concernSKILL.md goes beyond passive documentation and contains actionable shell/CLI steps (systemctl restart, curl | bash install, /etc/hosts edits, docker-compose instructions, gateway RPCs) and explicit references to credentials and workspace files. If an agent executed these instructions autonomously they could modify system configuration, run remote code, or access sensitive files. The SKILL.md also instructs the agent to web_fetch/web_search for live docs which grants network access and discretion to retrieve external content.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install surface. However the docs recommend running external installer scripts (curl -fsSL https://get.openclaw.ai | bash) and pulling images from GHCR; those are documented recommendations in the references but are higher-risk if executed automatically.
Credentials: noteThe skill declares no required env vars, but the documentation references many environment variables and credential/config paths (OPENCLAW_*, OPENCLAW_GATEWAY_TOKEN, ~/.openclaw/credentials, etc.). That mismatch is understandable for a doc/guide, but it means the skill's instructions assume access to secrets and env vars that were not explicitly declared — exercise caution before supplying credentials or allowing the agent to read these paths.
Persistence & Privilege: noteSkill is not always:true and does not request persistent installation. Normal autonomous invocation is allowed (disable-model-invocation is false). Because the instructions include privileged operations (systemd, docker socket, editing host files, mounting volumes), combining autonomous invocation with these instructions increases risk — prefer manual approval for any execution steps.