Skillv1.0.1

ClawScan security

Openclaw Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 10:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly coherent with an orchestrator for multiple security tools, but there are inconsistencies and an important security surface: it will execute arbitrary scripts in your workspace and depends on external installers (ClawHub) despite claiming no external deps and having an unknown source.
Guidance: This skill is an orchestrator that will run many other skill scripts inside whatever workspace you point it at. Before installing or running it: 1) Verify the source and repository — this package has no homepage and an unknown origin. 2) Expect it to call the ClawHub CLI or git/npm to fetch other tools; only allow that if you trust those package sources. 3) Inspect the code of the orchestrator and the individual security skill packages (scripts under workspace/*) before running setup/update/protect — they will be executed and can read/modify your files. 4) Run initial tests in an isolated or disposable workspace (or VM/container) and back up important data. 5) Ask the maintainer to clarify the README contradiction about 'no external dependencies' and to provide a verifiable homepage or repository before trusting it in a production environment.
Findings: [pre-scan-none] expected: Static pre-scan reported no injection signals. Given the orchestrator's role (running other scripts), absence of simple regex flags is plausible; runtime risk is that installed skills executed by this orchestrator may include risky behavior.

Review Dimensions

Purpose & Capability: noteThe name/description (a unified orchestrator for 11 security tools) match the included orchestrator script and SKILL.md commands. However the README and runtime behavior require the external ClawHub CLI for installing/updating tools, which contradicts the 'No external dependencies (stdlib only)' claim. Requiring a network installer (clawhub/git) is plausible for this purpose but the README/requirements inconsistency should be clarified.
Instruction Scope: concernSKILL.md instructs the agent to run scripts/security.py which in turn runs other skill scripts found under the workspace (e.g., scripts/sentry.py, scripts/warden.py). That is expected for an orchestrator, but it means the skill will execute arbitrary code present in installed skill directories under your workspace and will read and likely modify workspace files. The instructions also auto-detect OPENCLAW_WORKSPACE and default to ~/.openclaw/workspace or current working dir, so be careful where you run it. The orchestration gives the skill broad discretion to run many scanners and setup/protect commands — appropriate for the stated purpose but high-risk if installed skills are untrusted.
Install Mechanism: noteThere is no packaged install spec (instruction-only), which lowers direct supply risk. The orchestrator itself does not download arbitrary archives, but its install flow relies on the ClawHub CLI (and the README shows git clone as an option). Using clawhub/git/npm means network downloads and code execution are involved when installing the 11 tools. This is expected for a meta-installer but you should only use it with trusted registries/sources.
Credentials: okThe skill declares no required environment variables or credentials. The script optionally reads OPENCLAW_WORKSPACE to locate the workspace, which is reasonable. There are no unexplained requests for tokens/keys in the metadata or SKILL.md.
Persistence & Privilege: okalways is false and the skill is user-invocable. It will run subcommands that can modify the workspace and installed skills (setup, protect, update), which is normal for an orchestrator. There is no evidence it tries to force persistent inclusion or modify other skills' configs beyond operating on the workspace.