Skillv1.2.0

ClawScan security

ClawTime Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 5:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match the stated purpose (installing a local ClawTime web UI), but there are metadata mismatches and supply‑chain/persistence operations (cloning and running a GitHub repo, npm install, writing launchd scripts, storing tokens in Keychain) that warrant caution before installation.
Guidance: Things to consider before installing: - Review the remote repo before running it: the installer will git clone https://github.com/youngkent/clawtime.git and run npm install and node server.js. Inspect server.js and package.json (and all npm dependencies) for unexpected network calls, credential exfiltration, or privileged actions. - Metadata mismatches: the registry claims no required env vars but SKILL.md requires PUBLIC_URL and GATEWAY_TOKEN; the installer also uses the 'openclaw' CLI but the top-level required binaries list omitted it. Expect to need the OpenClaw CLI and tokens. - Sensitive tokens: the installer will store GATEWAY_TOKEN and SETUP_TOKEN in your macOS Keychain (or ask you to paste them). That is reasonable for this use case, but ensure you trust the code that will read them at runtime. - Persistence: the docs encourage creating launchd agents (auto-start, KeepAlive). If you install, be prepared to remove those plists and start scripts to uninstall. - Supply-chain risk: npm install will fetch third‑party packages. If you cannot audit the repo and dependencies, consider running the service in an isolated environment (VM/container) or reviewing a pinned commit in the repo first. - TTS command injection: the documentation correctly warns that unescaped {{TEXT}} substituted into shell commands is dangerous; verify the server implementation does proper sanitization or uses execFile/argument arrays. - What would increase confidence: a trustworthy homepage or verified upstream repo, an explicit list of file changes the installer makes, and a quick manual review of server.js and package.json confirming no unexpected outbound network endpoints or secret uploads. Given the above inconsistencies and the fact the installer fetches and executes remote code, proceed only after code review or using an isolated environment.

Review Dimensions

Purpose & Capability: noteThe name/description (installing a local ClawTime webchat behind a Cloudflare tunnel) aligns with the required binaries and actions (node, cloudflared, git, npm, keychain, filesystem). However registry metadata omitted the openclaw CLI although the install script and SKILL.md require and call 'openclaw' (the installer checks for it and attempts to use ~/.openclaw/openclaw.json). Also the top-level registry fields claim 'no required env vars' while SKILL.md documents PUBLIC_URL and GATEWAY_TOKEN as required.
Instruction Scope: noteSKILL.md and included docs instruct the agent to clone a GitHub repo, edit/write ~/.cloudflared/config.yml, create ~/Projects/clawtime, start services, and read/write local files (including ~/.openclaw/openclaw.json and keychain entries). These actions are consistent with installing a local web UI but are broad (filesystem, network, keychain). There is no obvious exfiltration endpoint in the docs, and the authors explicitly note TTS command injection risks and recommend safe patterns.
Install Mechanism: concernThe included scripts clone and run code from https://github.com/youngkent/clawtime.git and run 'npm install' and 'node server.js' — i.e., the installer will fetch and execute third‑party code at runtime. While GitHub is a common host, the repo owner is unknown (no homepage provided) and npm dependencies introduce supply‑chain risk. There is no packaged install spec from a verified registry; the script performs persistent changes (writing start scripts, config files).
Credentials: noteThe skill needs sensitive tokens (GATEWAY_TOKEN, SETUP_TOKEN) and PUBLIC_URL to function; requesting and storing these in macOS Keychain is proportionate. But the registry manifest claims 'no required env vars' while the SKILL.md marks PUBLIC_URL and GATEWAY_TOKEN as required — an inconsistency the user should notice. The installer also attempts to auto-read ~/.openclaw/openclaw.json to extract a token, which is related to the gateway purpose but means the script will access other local config files.
Persistence & Privilege: noteThe skill does not declare always:true. However the provided instructions and scripts guide the user to create persistent launchd agents (KeepAlive: true) and write start scripts under ~/Projects and ~/.cloudflared, which grants long‑lived presence on the machine. This is expected for a local service but increases blast radius if the installed code is malicious.