Skillv0.1.1

ClawScan security

Claw Problem Diagnoser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 11:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (diagnosing OpenClaw), but there are several mismatches and sensitive behaviors (auto-fix, need for CLI tools/privileges, remote diagnosis) that are not declared in the manifest — review and restrict before installing.
Guidance: This skill appears to do what it claims (diagnose and fix OpenClaw issues) but has several red flags you should consider before installing or running it with elevated rights: - Scope & privileges: It reads system and user config files (~/.openclaw, /etc), checks processes and resources, can run shell commands (e.g., 'openclaw init'), and supports remote SSH diagnosis. If you enable auto-fix or run it with sudo it can modify your system. Only run auto-fix after you understand the proposed changes. - Manifest mismatches: The registry declares no required binaries or credentials, but the code/README expect 'openclaw' CLI, network access (requests), and possibly SSH/remote access. Expect to manually verify that required CLIs and Python deps are present. - Secrets & telemetry: The tool may read API keys or other credentials from config files to validate integrations. The manifest does not declare this, so review the code paths that read/transmit such values before use. - Installation: There is no formal install spec; SKILL.md asks you to copy files into your skills folder or use ClawdHub. Prefer installing in an isolated environment (VM or container) first. Recommended steps before trusting/installing: 1) Inspect the full Python code (especially functions that build or run shell commands, do network requests, or read config files) to see exactly what is sent externally or modified on disk. 2) Run the diagnoser in a read-only or dry-run mode (or review a --report output) before enabling --auto-fix or startup auto-diagnosis. 3) Disable autoDiagnoseOnStartup and set enableAutoFix=false by default; enable only after testing. 4) Test in a non-production VM/container and observe network traffic (to detect unexpected exfiltration). 5) If you must use remote diagnosis, ensure SSH credentials are handled separately and not stored or transmitted without your consent. Given these inconsistencies and the potential for privileged modifications, treat the skill as 'suspicious' until you've manually audited its code and tested it in a safe environment.

Review Dimensions

Purpose & Capability: concernSKILL.md and the Python code align with a tool that diagnoses configs, dependencies, services, permissions and can auto-fix. However the manifest declares no required binaries or credentials while the README and code expect to run 'openclaw' CLI commands, use 'sudo'/SSH for remote diagnosis, and call network endpoints. The omission of required binaries/privileges is a mismatch worth noting.
Instruction Scope: concernRuntime instructions and the code read user and system config files (~/.openclaw, /etc/openclaw), check processes and system resources, generate fixes and can run shell commands (e.g., 'openclaw init'), and support remote diagnosis (SSH). Those actions are within a diagnoser's purpose but are sensitive (may modify configs, require elevated privileges, and could transmit data remotely). The SKILL.md gives broad discretion for auto-fix and remote operations without strong safeguards.
Install Mechanism: noteNo formal install spec in registry, but SKILL.md provides manual install steps (copy into ~/.openclaw/skills) and a ClawdHub install hint. The package includes code and package.json (declares dependencies). There is no external URL download/extract — install risk is moderate and requires user to place files on disk manually or via ClawdHub.
Credentials: concernThe skill requests no environment variables or credentials in the manifest, yet SKILL.md and code mention validating API keys, testing integrations, and performing remote diagnosis. The tool will read config files that may contain secrets (API keys, tokens, SSH info) but the manifest doesn't declare this need. That mismatch increases the risk of unintended credential access or transmission.
Persistence & Privilege: notealways:false (good). But the skill encourages adding autoDiagnoseOnStartup to user config and supports auto-fix and backups; these features create persistence and may run at startup if enabled. Fix operations may require elevated privileges (sudo). There is no always:true privilege escalation, but auto-fix + startup persistence + privileged operations is sensitive and should be user-controlled.