ClawHub
Back to skill
v1.0.2

Openclaw Ledger

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This is a local audit logger, but its tamper-detection promise appears stronger than the visible local hash-chain implementation supports.

GuidanceInstall only if you want a local workspace change log and understand its limits. Do not rely on it as strong proof against someone who can edit the workspace unless you independently protect or externally anchor the ledger; also scope the workspace narrowly and verify the package source before manual installation.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/ledger.py
expected = GENESIS_HASH
...
if e.get("prev_hash") != expected:
    return False, i, len(entries)
expected = hash_entry(ej)

Verification starts from a public genesis value and checks only that local entries are internally consistent. The artifacts show no external trusted head hash, signature, remote append-only store, or other anchor, so a party able to edit the ledger could potentially rewrite a consistent chain.

User impactA user may believe the ledger proves nobody altered the audit history, when it mainly detects simple or partial edits unless the .ledger files are independently protected.
RecommendationTreat this as a local change log unless you separately protect it. For stronger tamper evidence, store signed head hashes outside the workspace, use an append-only remote log, or clearly document the limitation.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/ledger.py
for root, dirs, fnames in os.walk(ws):
...
fh = file_hash(fp)
...
snap[str(fp.relative_to(ws))] = {"sha256": fh, "size": fp.stat().st_size}

The helper recursively opens files under the selected workspace to compute hashes and record file metadata. This is purpose-aligned for change tracking, but broad if the workspace path is too large.

User impactIf pointed at a broad or private folder, it will inspect many files to hash them and record filenames, sizes, hashes, and change status.
RecommendationRun it only on project workspaces you intend to audit, not on a whole home directory or system path unless that is deliberate.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry metadata does not provide a verified source or homepage, while README.md separately suggests cloning a GitHub repository. This is a provenance gap rather than evidence of malicious behavior.

User impactIt is harder to confirm that the reviewed package matches any external repository or future update source.
RecommendationInstall from a trusted registry package or verify the repository owner and commit if using the README's manual GitHub installation steps.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/ledger.py
LEDGER_DIR = ".ledger"
...
json.dump({"last_snapshot": snap, "init_time": now_iso()}, f, indent=2)

The skill creates persistent local audit state containing the last workspace snapshot and chain data. This is expected for an audit ledger, but it persists workspace file inventory metadata across sessions.

User impactAnyone with access to the workspace may be able to see the recorded file names, hashes, sizes, and change history in .ledger.
RecommendationKeep .ledger private, decide whether it should be committed or ignored, and protect or back up it if you rely on it.