Openclaw Arbiter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s auditing behavior is mostly coherent, but the included script advertises quarantine, revoke, enforce, and protect commands that are not clearly disclosed in the user-facing skill instructions.
Install only if you are comfortable with a local auditor that may also contain active workspace-control commands. Prefer running the documented read-only audit/report/status commands, review the script before using enforce/quarantine/revoke/protect, and back up your skills directory first.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could invoke commands that alter installed skills rather than only reporting on them.
The bundled script advertises commands that could enforce policy, quarantine, revoke, or protect skills, but SKILL.md only documents audit/report/status commands. These higher-impact operations could change the local skill environment if invoked.
Usage:\n arbiter.py policy [--init] [--workspace PATH]\n arbiter.py enforce [skill] [--workspace PATH]\n arbiter.py quarantine <skill> [--workspace PATH]\n arbiter.py unquarantine <skill> [--workspace PATH]\n arbiter.py revoke <skill> [--workspace PATH]\n arbiter.py protect [--workspace PATH]
Treat this as more than a read-only auditor unless the code is reviewed; use only audit/report/status commands and back up the skills workspace before any enforcement or quarantine action.
Users may install it expecting a passive scanner while the included tool describes active control features.
The code’s own description mentions high-impact enforcement and quarantine capabilities, while the visible SKILL.md presents the skill as a local reporting/auditing layer. This mismatch can cause users to underestimate what the bundled script is designed to do.
Full features adds automated policy enforcement, quarantine, revocation, and protection sweeps.\n\nPhilosophy: alert -> subvert -> quarantine -> defend\nFree = alert. Pro = subvert + quarantine + defend.
The publisher should clearly separate or disclose pro/enforcement functionality and document exactly which commands are safe read-only operations.
Local skill files, which might accidentally contain sensitive text, can be scanned and displayed in reports.
The skill is expected to read local installed skill files to produce line-level findings. This is appropriate for an auditor, but users should know local skill contents may be read and summarized.
Deep audit of all installed skills with line-level findings.
Run it only on workspaces you intend to audit, and avoid storing secrets directly in skill files.
Users have less registry-provided provenance to confirm the package source.
The README documents a manual GitHub clone install path while the registry metadata lists source as unknown and homepage as none. This is a provenance gap, though no remote install script or dependency execution is shown.
git clone https://github.com/AtlasPA/openclaw-arbiter.git\ncp -r openclaw-arbiter ~/.openclaw/workspace/skills/
Verify the repository and package contents before installing or updating.