ClawVitals
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will cause your agent to inspect your OpenClaw setup through the local CLI.
The skill instructs the agent to execute local CLI commands. The commands are clearly listed and aligned with a security health check, but they still operate on the user's local OpenClaw environment.
Five CLI commands only: - `openclaw security audit --json` - `openclaw health --json` - `openclaw --version` - `openclaw update status --json` - `node --version`
Install only if you want this kind of local security inspection, and review the reported findings before acting on remediation advice.
A scan may cause your OpenClaw CLI to check an update registry.
The artifacts disclose that one command may result in outbound network contact by the OpenClaw CLI, even though the skill itself declares no direct network access.
`openclaw update status --json` ... may cause the OpenClaw CLI to contact its update registry. That is OpenClaw's own behaviour — the skill does not initiate or control it.
Be aware of this registry check if you operate in a restricted or offline environment.
The scan may reveal whether your messaging integrations are configured or failing.
The health check can inspect configured messaging channels and their probe results. This is expected for a security checker, and the instructions limit extracted fields and prohibit displaying secrets.
`openclaw health --json` ... Extract only: for each channel entry — `configured` (boolean), `probe.ok` (boolean), `probe.error` ...
Run it from an admin/private context and avoid pasting raw command output into shared chats.
People in the same chat may see details about weaknesses in your OpenClaw setup.
The skill is intended to return scan results through a messaging surface. If invoked in a shared group, security posture details could be visible to other participants.
Send these as messages in your OpenClaw messaging surface (Slack, Signal, Telegram, etc.): ... `show clawvitals details` → full report with remediation steps
Invoke detailed scans only in a private or administrator-only channel.