ClawHub
Back to skill
v1.0.2

Openclaw Marshal

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

Openclaw Marshal is presented as a local compliance auditor, but the included script advertises undisclosed active enforcement features that can quarantine skills and add runtime hooks.

GuidanceReview the source before installing. If you only want an audit/report tool, avoid or disable the enforce, quarantine, hooks, templates-apply, and protect paths; use an explicit workspace path, back up your skills directory, and verify the package origin.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityHighConfidenceHighStatusConcern
metadata
Free alert layer — upgrade to openclaw-marshal-pro for active enforcement, blocking, and automated remediation.

This user-facing description frames the package as alert-only for active enforcement, but scripts/marshal.py advertises active enforcement, auto-quarantine, runtime hooks, and protection sweeps.

User impactA user may install it expecting a read-only audit tool while the package includes advertised capabilities to change workspace behavior.
RecommendationClearly disclose active enforcement in SKILL.md and metadata, or remove/disable those commands from the free package until a user explicitly opts in.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/marshal.py
marshal.py enforce [--workspace PATH]
marshal.py quarantine <skill> [--workspace PATH]
marshal.py unquarantine <skill> [--workspace PATH]
marshal.py hooks [--workspace PATH]
marshal.py protect [--workspace PATH]

The script advertises high-impact workspace mutation commands that are absent from SKILL.md's documented command list and are not accompanied by visible approval or containment guidance.

User impactIf invoked, these commands could disable, rename, or alter installed skills and workspace behavior rather than merely report compliance status.
RecommendationRestrict the default workflow to audit/report/status, and require explicit confirmation, dry-run output, scoped paths, logs, and rollback instructions for any enforcement or quarantine action.
Rogue Agents
SeverityMediumConfidenceMediumStatusConcern
scripts/marshal.py
auto-quarantine non-compliant skills, generate runtime hooks, apply compliance templates, and run full automated protection sweeps

Runtime hooks and automated protection sweeps are persistent or ongoing control mechanisms, but the user-facing SKILL.md only documents policy, audit, check, report, and status commands.

User impactThe skill may leave behind enforcement hooks or broad workspace changes that continue affecting agent actions after the initial command.
RecommendationMake hook generation explicitly opt-in, document exactly what files are written, and provide clear disable/uninstall and rollback steps.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry metadata does not provide a verifiable source or homepage, while README.md separately gives a GitHub clone command, creating a provenance gap users should verify.

User impactIt is harder to confirm that the installed package matches the intended upstream project or future updates.
RecommendationVerify the publisher and source repository before installation, and prefer packages with clear registry source metadata.