Skillv1.0.2

ClawScan security

Openclaw Egress · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 10:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (scan for outbound URLs/network calls), but the included script contains code and constants for quarantining and writing allowlists (modifying other skills/workspace) while the documentation emphasizes a free 'alert-only' mode — this mismatch and the ability to modify workspace files is concerning.
Guidance: This skill largely does what it says — scanning for outbound URLs and network calls — but the bundled script contains code paths for saving an allowlist and for quarantining/modifying skills (renaming directories, inserting block comments). The SKILL.md and README emphasize 'alert-only' for the free version yet the code includes modification capabilities; source/homepage are not provided. Before installing or running: (1) review the full scripts (search for rename/move, os.remove, shutil.move, write/open calls that change other directories), (2) run scans on a copy or a non-production workspace first, (3) back up your workspace/skills, (4) prefer running with --skills-only and in read-only mode if available, and (5) avoid granting broad write access if you don’t trust the source. If you need absolute assurance, ask the publisher for a provenance URL or a signed release and/or run the script in an isolated container or VM.
Findings: [network_call_detection_patterns] expected: The script includes regexes and heuristics to detect network libraries, curl/wget, and outbound URLs — this is expected for a DLP/egress scanner. [allowlist_persistence_write] unexpected: The script defines ALLOWLIST_FILE and implements save_allowlist/load_allowlist to write .egress-allowlist.json into the workspace. The SKILL.md promised 'free alert' with pro features for allowlists; persistent writes should be explicitly documented and opt-in. [quarantine_modification_capability] unexpected: Constants like QUARANTINE_PREFIX and BLOCK_COMMENT plus header text mentioning 'quarantine' and 'block' indicate the script is capable of modifying or renaming other skill directories and adding block comments — behavior not clearly declared in runtime instructions.

Review Dimensions

Purpose & Capability: noteName/description match the code's scanning capabilities (URL detection, network-call heuristics). Requiring only python3 is proportionate. However, the package also contains constants and helper functions for quarantine and allowlist persistence (QUARANTINE_PREFIX, BLOCK_COMMENT, save_allowlist) which go beyond a read-only scanner and are not clearly declared in SKILL.md's 'free alert' description.
Instruction Scope: concernSKILL.md documents only scanning, domain listing, and status commands and promises 'everything runs locally' with no external I/O. The script's header and constants indicate functionality to quarantine skills and enforce allowlists (which implies modifying files/directories). The instructions do not warn that running the script could rename directories, write .egress-allowlist.json, insert block comments, or otherwise modify workspace/skills.
Install Mechanism: okNo install spec; the skill is shipped as a script and README. That's low-risk from supply-chain/remote-download perspective. It does include an actual script file (not instruction-only), so there is executable code to review.
Credentials: concernThe skill requests no credentials and only python3, which is appropriate for scanning. However the script reads and writes inside the user's workspace (loads/saves an allowlist file and likely can quarantine/modify other skill directories). That level of filesystem write access should be explicitly declared and justified; it is not surfaced clearly in the SKILL.md usage examples.
Persistence & Privilege: concernThe skill is not always-enabled and not force-installed, which is good. However the code appears able to modify other skills (quarantine via directory rename/prefix and potentially inject block comments) and to persist an allowlist in the workspace. Modifying other skills' files or directories without an explicit, visible opt-in is a privileged action and a notable risk.