Skillv1.0.1

ClawScan security

Daily Summary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 21, 2026, 7:01 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements are consistent with its stated purpose (generate a daily summary and token-usage report) — it runs the local openclaw CLI and writes a summary file — but there are minor unexplained details (missing referenced script and unknown origin) worth checking before install.
Guidance: This skill appears coherent with its stated purpose: it parses `openclaw status --json` and writes a daily summary markdown in your OpenClaw workspace. Before installing or enabling it, check: (1) Ensure you trust code that will run the local `openclaw` CLI — that command may reveal session or account details depending on its output. (2) Be aware the skill will create/modify files under ~/.openclaw/workspace/memory; review file permissions and contents. (3) The SKILL.md mentions `cron_daily_summary.py` and cron behavior, but no script is included — if you want scheduled runs, either supply/inspect your own script or ask the author for the implementation. (4) The package has no homepage or source listed; if you need stronger assurance, request the script source or a vetted upstream repo before enabling autonomous invocation.

Review Dimensions

Purpose & Capability: noteName/description (daily learning summary with token stats) matches the runtime instructions: it runs `openclaw status --json` to extract token fields and writes a daily markdown file. Minor inconsistency: SKILL.md references a helper script (`~/.openclaw/workspace/cron_daily_summary.py`) and cron-related behavior that are not included in the package (no code files provided).
Instruction Scope: noteInstructions are narrowly scoped: run `openclaw status --json`, parse token-related fields, aggregate and save results to `~/.openclaw/workspace/memory/YYYY-MM-DD.md`, and report totals. This stays within the stated purpose, but it explicitly requires executing a local CLI and writing into the user's OpenClaw workspace; it also gives parsing/implementation hints (subprocess.Popen, skip log prefixes). It does not instruct reading other unrelated files or exfiltrating data to external endpoints.
Install Mechanism: okInstruction-only skill with no install spec and no code files (aside from SKILL.md and package.json). Lowest-risk install footprint (nothing downloaded or written by an installer).
Credentials: noteThe skill requests no environment variables or external credentials, which is appropriate. However, it will parse the output of `openclaw status --json` — depending on what that CLI prints, the command may expose session metadata or other sensitive runtime details. The skill does not declare or ask for additional secrets.
Persistence & Privilege: noteIt does not request always: true and does not modify other skills. It will create/modify files under `~/.openclaw/workspace` (memory file and references a cron script path). Writing files to the user's workspace is expected for this capability but is a persistent side effect to be aware of. The referenced cron script is not provided, so automatic scheduling is not actually installed by this package.