Skillv1.0.0

ClawScan security

Plugin Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 9:16 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's scaffolding and OpenClaw conversion parts match its stated purpose, but it claims GitHub publishing and other network actions without declaring the required binaries or credentials — that mismatch is unexplained and worth caution.
Guidance: This skill largely does what it says (scaffold plugin directories, generate manifests, and produce an OpenClaw deployment script), but the red flag is its claim to 'create/connect to a GitHub repo and push' without declaring the required tools or credentials. Before installing or running anything: 1) Inspect the full SKILL.md to find exact git/remote commands it would execute. 2) Do not paste or expose any secrets or tokens to the agent; prefer to run git pushes yourself or use your local, already-authenticated git client. 3) If you intend automated pushes, require the skill to explicitly list needed env vars (GITHUB_TOKEN, GH_HOST, SSH key path) and document how it stores/uses them. 4) Review the included openclaw-generator-template.sh before running it — it will write into ~/.openclaw and suggests installing OpenClaw via curl|bash, which you should only do from a trusted source. 5) If you need the GitHub publishing feature, ask the skill author to clarify authentication flow (interactive approval, use of gh CLI, or explicit env vars) or to limit the skill to scaffolding only and leave pushes to the user.

Review Dimensions

Purpose & Capability: concernThe skill claims end-to-end plugin creation and publishing (including 'create or connect to a GitHub repo, push it, and package a .plugin file'). However the registry metadata declares no required binaries (git, gh) and no required environment variables (e.g., GITHUB_TOKEN or SSH key paths). That omission is inconsistent: pushing to GitHub or automated publishing normally requires credentials and/or CLI tools.
Instruction Scope: noteThe SKILL.md primarily instructs the agent to scaffold plugin files, produce marketplace and plugin manifests, and generate an openclaw-install.sh installer — all consistent with the stated purpose. It also says it will 'create or connect to a GitHub repo, push it' but the provided instructions and template script do not declare how authentication or network pushes are handled. The skill may rely on interactive user-provided credentials or implicit environment state (SSH agent, `git` already logged in), but that behavior is not documented in the skill manifest, which grants the agent wide discretion in how to proceed.
Install Mechanism: noteThis is instruction-only (no install spec), which is low-risk. The package includes a bash template script that writes into the user's home (~/.openclaw) and references the `openclaw` binary. The script also prints an install hint using curl to fetch openclaw's installer ('curl -fsSL https://openclaw.ai/install.sh | bash'), which is a network-based install pattern — expected for installing a third-party tool but worth reviewing before running.
Credentials: concernAlthough the SKILL.md and references discuss using ${ENV_VAR} placeholders for MCP server secrets and documenting required env vars in READMEs, the skill metadata itself declares no required environment variables. Given the claimed capabilities (GitHub pushes, possible .mcp.json secrets), it's disproportionate to request no credential-related inputs — the skill should explicitly declare what credentials it needs and how it will obtain them (interactive prompt, user-provided env vars, or local SSH/credential helpers).
Persistence & Privilege: okThe skill does not set always:true and does not request elevated platform privileges. The included script writes files to the user's OpenClaw workspace (~/.openclaw) which is consistent with its purpose of deploying an agent, and does not appear to modify other skills' configurations. Autonomous invocation is enabled by default (normal) but not combined here with other high-risk flags.