v1.0.2

Openclaw Signet

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

Review before installing: the skill is mostly a local hash verifier, but its included script advertises commands that can reject, quarantine, restore, or otherwise change installed skills despite being framed as an alert-only verifier.

GuidanceInstall only if you are comfortable with a local Python tool reading all installed skill files and writing a trust manifest. Treat reject, quarantine, restore, and protect behavior as high-impact workspace changes, and do not let an agent run those actions without explicit approval and a backup.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

scripts/signet.py

plus automatic rejection of unsigned skills, quarantine of tampered ones, trusted snapshots, and restoration

The bundled script describes high-impact actions against installed skill directories, not only hash calculation and reporting.

User impactA mistaken or autonomous invocation could remove, quarantine, or restore installed skills, changing what the agent can do.

RecommendationUse only the documented sign, verify, list, and status flows unless you explicitly intend to mutate installed skills; require user confirmation and backups before any reject, quarantine, restore, or protect action.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Free alert layer — upgrade to openclaw-signet-pro for rejection, quarantine, and trust chain restoration.

The user-facing description sets an expectation that rejection, quarantine, and restoration are not part of this skill, while the included script advertises those capabilities.

User impactUsers may install it expecting an alert-only verifier while the package contains code for workspace-changing countermeasures.

RecommendationAlign the documentation and package contents: either remove the mutation commands from this skill or clearly document their scope, prompts, and recovery behavior.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/signet.py

manifest["skills"][sd.name] = {
            "composite_hash": composite, "files": files,

The verifier persists a trust baseline containing per-file hashes and paths, which later verification treats as authoritative.

User impactIf the manifest is created after a compromise or later overwritten, the tool can treat a bad skill state as trusted.

RecommendationCreate the manifest only from a known-good workspace, protect the .signet manifest from unnecessary edits, and re-sign only after reviewing changes.