Openclaw Triage
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent local forensic triage skill, but it intentionally reads broad workspace contents and stores local evidence, so users should treat its output directory as sensitive.
This skill appears suitable for local incident response. Before installing or running it, confirm the workspace path, expect broad local file inspection, and protect the .triage evidence directory because it can contain sensitive forensic records.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can invoke a script that reads many files in the selected workspace and produces security findings.
The skill runs a local Python tool over a workspace and performs broad forensic analysis. This is appropriate for incident response, but users should ensure they point it at the intended workspace.
Collects workspace state, checks for signs of compromise ... cross-references with warden/ledger/signet/sentinel data
Run it only against workspaces you intend to investigate, and review the selected --workspace path before evidence collection.
If secrets are present in the workspace, the triage report may reveal their presence or related evidence.
The skill may read files containing tokens or secrets to detect exposure. That is purpose-aligned for compromise triage, and the artifacts do not show credential transmission or unrelated account use.
checks for credential exposure patterns in recently modified files
Protect triage outputs as sensitive and avoid sharing reports or evidence directories without review.
Users may rely on an external repository not reflected in the registry source metadata.
The registry lists the source as unknown and no homepage, while the README points to a GitHub repository for installation. This is not suspicious by itself, but it is a provenance detail users should notice.
git clone https://github.com/AtlasPA/openclaw-triage.git
Install from a trusted source and verify that the installed files match the reviewed package.
Triage evidence may remain on disk after the investigation and could expose workspace structure, hashes, timestamps, or security-tool records.
Evidence collection persists forensic metadata and copied security-tool data locally. This is expected for incident response, but persistent evidence can contain sensitive workspace history.
Saves everything to `.triage/evidence-{timestamp}/` or a custom directoryStore evidence directories securely, restrict access, and delete or archive them according to your incident-response policy.