Skillv1.2.0

ClawScan security

Skill Vetter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 5:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and vetting procedures broadly match its stated purpose, but there are several inconsistencies and instructions that would require modifying system tooling or reading sensitive files even though no code or install hooks are provided — which makes the package suspicious and worth manual review before use.
Guidance: This package appears to be a vetting checklist and integration plan, not a complete, self-contained scanner. Before you run or integrate it: 1) Do not run any suggested modification commands that edit clawhub or system files without inspecting the exact changes. 2) Ask the publisher for the missing skill_vetter.ps1 (or the actual scanner binary) and review its source before executing it. 3) Confirm whether the scanner needs to read token files or other credentials; never give it access to your Clawhub token or ~/.openclaw workspace without manual review. 4) If you want a vetting workflow, prefer a vetted, signed scanner distributed from an official source (or run any new scanner inside an isolated sandbox/VM). 5) If you plan to integrate auto-blocking into clawhub, require a human review step and code review of the exact patch to clawhub's CLI rather than applying opaque instructions from this package.

Review Dimensions

Purpose & Capability: concernThe name/description (skill vetting) matches the instructions in SKILL.md. However package metadata (package.json main -> skill_vetter.ps1 and INTEGRATION_REPORT.md references a PowerShell scanner) describe an executable that is not present in the manifest. The docs also describe modifying clawhub internals to integrate the scanner — a capability beyond a simple instruction-only vetting guide. This mismatch (claims of an executable + integration hooks vs. no actual executable files) is incoherent and should be explained by the author.
Instruction Scope: concernSKILL.md tells an agent to read ALL files of target skills and includes explicit integration hooks that modify the clawhub install path and auto-block installs. It also references reading/writing token locations and workspace paths. Those instructions go beyond passive vetting guidance and would require filesystem access and changes to other tooling; they grant broad authority and should not be executed blindly. The skill also instructs auto-blocking installs with no UI confirmation in some cases.
Install Mechanism: okThere is no install spec and no code files included in the package (instruction-only). That is the lowest-risk install model — nothing in the package will be written to disk by an installer. However the documentation expects an external PowerShell script (skill_vetter.ps1) to exist for actual scanning; because that script is missing, any attempt to follow integration steps would require obtaining and running external code (higher risk).
Credentials: concernThe skill declares no required env vars or credentials, but the docs reference environment variable CLAWHUB_SKILL_VETTER, a Clawhub token path (C:\Users\atlas\.clawhub\token), and default workspace locations. The instructions would have agents read or modify user workspace and CLI installation paths and potentially access saved tokens — access to these secrets/configs is not declared or justified in metadata.
Persistence & Privilege: concernSKILL.md describes modifying clawhub's installation flow (editing cli/commands/skills.js) to call the scanner before installs and to auto-block. That requires modifying other software and granting persistent influence over future installs. The skill metadata does not request or justify such persistence or elevated privileges. While always:false and autonomous invocation are normal, the skill's own instructions attempt to create permanent hooks into the package manager, which is a privilege escalation risk if followed.