Back to skill
Skillv1.0.0
ClawScan security
Install OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 5:45 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to perform the advertised install/config tasks, but it hardcodes a third‑party AI middleman (https://ai.jiexi6.cn), stores API keys in plaintext under your home directory, and directs remote installs—these choices are not fully justified by the description and merit caution.
- Guidance
- This skill largely does what it says, but please do the following before running it: (1) Verify the ai.jiexi6.cn service—do not hand over API keys unless you trust that endpoint; consider using an official or self‑hosted gateway instead. (2) Inspect the remote installer (https://openclaw.ai/install.sh) before running curl | bash. (3) Be aware the scripts save API keys and Feishu credentials in plaintext under ~/.openclaw; if you proceed, restrict file permissions and consider storing secrets in a safer vault. (4) Review the cloned plugin repository (github.com/openclaw/feishu-plugin) after cloning and before starting the gateway. (5) If uncertain, run these scripts in a disposable/test environment or container first.
Review Dimensions
- Purpose & Capability
- noteName/description match the actual actions: installing OpenClaw, configuring a Claude-compatible model endpoint, and installing a Feishu plugin. However the skill consistently directs users to a specific third‑party AI gateway (https://ai.jiexi6.cn) rather than leaving provider choice generic; this is a design decision that should be questioned but is related to the stated purpose.
- Instruction Scope
- concernRuntime instructions and scripts perform expected operations (install, clone plugin, create ~/.openclaw configs, test API connections). They also instruct executing a remote install script via curl | bash (https://openclaw.ai/install.sh) and hardcode the ai.jiexi6.cn base URL in configs. The scripts prompt for and persist secrets (API keys, Feishu credentials) to ~/.openclaw/*.json in plaintext and read those files (e.g., fix-bugs.sh greps models.json). These actions are within install scope but widen the attack surface (remote script execution and plaintext credential storage).
- Install Mechanism
- okNo packaged install spec, but included scripts use standard package managers (pnpm, npm) and git clone from GitHub. There are no obscure or short‑URL downloads in the bundle. The one remote script execution is a curl of https://openclaw.ai/install.sh piped to bash—common but high‑risk if the target site is not verified.
- Credentials
- noteThe skill does not declare required env vars but prompts the user for an AI gateway API key and Feishu credentials and writes them to config files. Requesting those secrets is proportional to the task, but storing them unencrypted in ~/.openclaw/models.json and ~/.openclaw/feishu.json is noteworthy and may expose credentials to other local users or processes. Also the use of ai.jiexi6.cn is not justified in metadata and is an external third party receiving validation requests.
- Persistence & Privilege
- okThe skill does not request always:true or elevated system privileges. It creates and modifies files under the user's home (~/.openclaw), installs global npm/pnpm packages if run (pnpm add -g openclaw), and may restart services via openclaw commands—reasonable for an installer but impactful. Nothing modifies other skills or system-wide agent configs beyond normal install behavior.