Skillv0.1.1

ClawScan security

Claw Security Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 11:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly matches a security-scanner description, but there are notable implementation gaps and risky capabilities (remote scans, 'dynamic' sandboxing, and auto-fix) that are not justified or fully specified and could lead to code execution or data exfiltration if enabled incorrectly.
Guidance: This skill appears to be a legitimate security scanner, but exercise caution before enabling any automatic or dynamic features. Before installing or enabling: 1) Review the scanner's code paths that perform dynamic analysis or execute subprocesses (search for code that downloads, extracts, or runs scanned code). 2) Keep autoScan/scanOnInstall and auto-fix disabled by default until you confirm safe behavior; prefer manual scans. 3) Run the scanner in an isolated environment (container or VM) with network disabled when performing deep/dynamic scans of untrusted skills. 4) If you use the documented pip/GitHub/Docker install paths, verify the upstream repository and Docker image are trustworthy; prefer installing only from verified sources. 5) If you lack capacity to audit the dynamic analysis code, do not grant it wide access to your ~/.openclaw/skills tree or enable automatic fixes — treat it as a powerful tool that can read many files and modify them. Enabling networked reporting/notifications or the Docker image without vetting could allow exfiltration of findings; review where reports would be sent and disable automatic uploads if unsure.

Review Dimensions

Purpose & Capability: noteName and docs describe a skill-scanner and the repository contains detectors and tests that implement credential, malware, and dependency checks — this is coherent. However SKILL.md and docs advertise dynamic sandbox execution, auto-fix, CI/Docker deployment, and remote URL scanning while the packaged metadata lists no install/runtime privileges or explicit sandbox tools; the advertised dynamic execution and auto-fix features are not clearly implemented or constrained in the provided files (implementation gap).
Instruction Scope: concernRuntime instructions explicitly instruct scanning local skills, scanning remote URLs, and running deep/dynamic analysis. The docs promote options like --deep, --auto-fix, scanning --url, and scanning all installed skills (scanOnInstall). Those behaviors legitimately require reading many local files and potentially downloading and executing untrusted code — which is expected for a scanner but also high-risk. The SKILL.md encourages automatic scans on install and automated fixes, which could modify user files. The instructions do not clearly require or document strict sandboxing, network isolation, or safe defaults (e.g., auto-fix disabled), giving the agent broad discretion to read and (potentially) change many files and to fetch remote code.
Install Mechanism: noteThere is no formal install spec in the registry (the skill is 'instruction-only' per metadata), but the bundle includes code, package.json, and extensive INSTALLATION.md advising pip installs from GitHub and a Docker image (clawsecurity/scanner:latest). Those install suggestions reference common hosts (GitHub, Docker Hub) but the Docker image and the repository are third‑party/unverified. No packaged install script is enforced by the registry metadata, so installing via the documented methods would fetch code from external sources (risk depends on the source).
Credentials: okThe skill declares no required environment variables or external credentials in metadata. The scanner searches for credentials inside scanned code (AWS keys, JWTs, etc.) but does not request those credentials itself — this is proportionate for a scanner. No unrelated secrets or system credentials are requested by the skill metadata.
Persistence & Privilege: notealways:false (no forced inclusion). However the recommended configuration examples enable autoScan and scanOnInstall, which would cause the scanner to run automatically when skills are installed/updated. That behavior is user-configurable, not an inherent platform privilege, but if enabled it broadens the scanner's reach (reads many skills). There is also an 'auto-fix' feature referenced which could modify files — the registry metadata does not show explicit privileges for that, and the code/docs don't transparently explain safe defaults for these behaviors.