Back to skill
Skillv1.0.0
ClawScan security
Openclaw Skills Setup Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 4:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for installing and using ClawHub in Chinese; its requested actions and lack of credentials or installs are consistent with its description.
- Guidance
- This skill is a short, instruction-only helper for installing and managing ClawHub and appears internally consistent. Before running its commands: 1) verify the origin and maintainer of the npm package 'clawhub' (npm packages run code on install); 2) prefer non-root installs or use a container/VM if you want to limit impact of global npm installs; 3) ensure any mirror URL you set (e.g., Alibaba mirror) is trustworthy — mirrors can serve arbitrary packages; 4) when using clawhub to install other skills, review those skills' provenance and permissions because installing a skill pulls code from external sources. No credentials are requested by this skill itself.
Review Dimensions
- Purpose & Capability
- okThe name/description state ClawHub installation, mirror configuration, skill discovery and management; the SKILL.md contains exactly those npm/pnpm and clawhub/openclaw commands and no unrelated requirements.
- Instruction Scope
- okInstructions only tell the agent to run package installs (npm/pnpm) and clawhub/openclaw CLI commands (search, install, update, enable/disable). They do not instruct reading arbitrary system files, exporting environment variables, or sending data to unexpected endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec. The recommended install methods (npm/pnpm -g) are standard for a CLI tool and match the claimed purpose; no downloads from obscure URLs or archive extraction are present.
- Credentials
- okThe skill declares no required env vars, credentials, or config paths. The only configuration shown is setting a mirror URL for package downloads — which is proportionate to helping domestic users speed up installs.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent system privileges or modify other skills' configurations beyond normal enable/disable commands described.