Back to skill
Skillv2.1.0
ClawScan security
Agent Loops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 8, 2026, 6:50 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and docs match its stated purpose (orchestrating multi-agent workflows), but the package metadata omits real runtime requirements and the runtime will spawn an external CLI, optionally run a local router script, and persist run data — inconsistencies and undisclosed behavior warrant caution.
- Guidance
- What to check before installing/using: - Expect the script to call the 'claude' CLI (claude -p). If you don't have or want that CLI, do not run --apply. The CLI will send task text to its backend (so anything you pass may be transmitted externally). - The metadata omits this requirement; manually verify you have 'claude' in PATH and understand its authentication and privacy model. - The script reads OPENCLAW_HOME (defaults to ~/.openclaw) and will write run records to OPENCLAW_HOME/workspace/skills/agent-loops/runs — inspect that directory and its contents; avoid passing secrets in requests if you don't want them stored or transmitted. - If an agent-swarm router script exists at OPENCLAW_HOME/workspace/skills/agent-swarm/scripts/router.py, this skill will execute it (subprocess). Audit that local router script before running to avoid executing untrusted local code. - If you want to be cautious: run the script in dry-run mode (omit --apply) to see planned steps, review run_workflow.py and workflows, and run in an isolated environment or sandbox before giving it real project data. - The inconsistencies (missing declared binary/env requirements) likely indicate sloppy metadata, not necessarily malicious intent, but you should inspect and confirm the runtime behavior matches your security/privacy needs.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to orchestrate agent workflows and the included script implements that by invoking a 'claude' CLI and an optional agent-swarm router. However, registry metadata declares no required binaries or env vars even though the README and run_workflow.py require the 'claude' CLI in PATH and read OPENCLAW_HOME. The omission of these runtime dependencies in metadata is an incoherence the user should notice.
- Instruction Scope
- noteSKILL.md instructs running the included Python script which will spawn subprocesses (claude CLI) to execute tasks, chain outputs, and (per README) persist runs to a runs/ directory. The instructions do not attempt to read unrelated system files, but they do cause data to be sent to whatever backend the 'claude' CLI uses and they will save run output locally.
- Install Mechanism
- okNo install spec is provided (instruction-plus-code only). This reduces supply-chain risk from remote downloads. The repository does include requirements.txt recommending PyYAML; SKILL.md suggests pip install pyyaml.
- Credentials
- concernThe skill declares no required environment variables or credentials but the code reads OPENCLAW_HOME (defaulting to ~/.openclaw) and passes the full environment to subprocesses. It relies implicitly on a configured 'claude' CLI (which may itself require credentials). The lack of declared env/binary requirements is disproportionate and hides important runtime assumptions.
- Persistence & Privilege
- noteThe script persists live-run data to OPENCLAW_HOME/.../runs (per README and RUNS_DIR in code). always:false and it does not request elevated privileges or modify other skills. Persisting user inputs/outputs locally is normal for tooling but should be noted since sensitive inputs will be saved by default.