Skillv4.0.2

ClawScan security

Bloom Discovery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 9:43 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (local personality analysis + use-case matching) but includes inconsistencies around required secrets, what it may transmit, and developer/test scripts that can create auth tokens and post identity data — you should inspect/limit those before installing.
Guidance: What to check before installing/use: - Confirm expected env vars: the registry lists none but the repo and README reference JWT_SECRET, BLOOM_API_URL, DASHBOARD_URL and optional wallet envs. Treat JWT_SECRET as sensitive — do not set it unless you understand what tokens the skill will mint and who accepts them. - Avoid running developer/test scripts (generate-fresh-token.ts, test-* scripts) unless you intentionally want to create JWTs or test tokens. Those scripts require JWT_SECRET and will produce signed tokens and dashboard URLs. - Verify exactly what is sent to the Bloom backend: SKILL.md promises 'minimal transmission', but several test files build/POST identityData and recommendations. If you require strict offline analysis, inspect the code paths that call api.bloomprotocol.ai and run the skill offline or block that network endpoint. - Inspect openclaw-wrapper/execute.sh and scripts/run-from-session.ts to confirm they only read session files and do not upload raw conversation text. If you prefer, run the skill in a sandboxed environment first and monitor outgoing network calls (e.g., with a proxy or by setting BLOOM_API_URL to a local endpoint). - If you do not want files written into ~/.openclaw/skills, do not copy the openclaw-wrapper into your skills directory. Check what the wrapper will create before accepting it. - Run static audits: npm audit, review package.json scripts, and search source for any code that reads files outside the home directory or posts full conversation text. Pay attention to integrations (twitter/X, farcaster) that may access external accounts. Bottom line: the core functionality (local analysis + matching) appears coherent, but the repo contains scripts and configuration for token generation and networked flows that are not fully declared in the registry metadata — review and limit those before use.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md advertise local-only analysis and 'no API keys required', yet the repository and scripts reference environment configuration (JWT_SECRET in README and several test scripts), a BLOOM_API_URL, and code that posts identity/recommendation payloads to a remote API. mission-skill.json also declares BLOOM_API_URL and optional wallet envs. Asking for network and optional wallet parameters is coherent for claiming SBTs and dashboard features, but the registry metadata claimed no required envs/credentials which is inconsistent.
Instruction Scope: concernRuntime docs and scripts explicitly read conversation session files (~/.openclaw/agents/.../sessions/*.jsonl) and the installed-skill directory (~/.openclaw/skills/), which matches the stated behavior. However the codebase and tests build API payloads containing identityData and recommendations and show POSTs to /api/ endpoints. SKILL.md promises 'minimal transmission' and 'raw conversation text never sent', but test scripts assemble and (in simulation) would POST full identityData + recommendations — that gap between 'only top-level scores' vs. test payloads is a substantive mismatch. Also the project includes helper scripts that generate JWTs and dashboard URLs (generate-fresh-token.ts, test-with-real-analysis.ts) which, if run, create auth tokens tied to a secret.
Install Mechanism: noteThe skill package is delivered with many code files but no install spec in the registry (instruction-only). That lowers automatic install risk, but the bundle contains runnable scripts and a package.json with dependencies (including puppeteer, viem, twitter-api-v2). If you run npm install / npm run scripts locally you will fetch many third-party packages; nothing is downloaded from an untrusted URL at install time, but executing the included scripts will run non-trivial code from the repo.
Credentials: concernRegistry metadata declares no required env vars, but README, package.json scripts, and test files require or recommend JWT_SECRET, BLOOM_API_URL, DASHBOARD_URL, and (optionally) wallet-related envs. Several dev/test scripts will fail or throw if JWT_SECRET is missing. The presence of jwt signing and token-generation code (generate-fresh-token.ts, test-with-real-analysis.ts) means a secret named JWT_SECRET is meaningful and powerful; that is disproportionate to a purely local analyzer and should be explicitly declared and justified.
Persistence & Privilege: concernThe SKILL.md claims minimal writes (only ~/.bloom/agent-id.json and bloom-discoveries.md). The docs also instruct copying an 'openclaw-wrapper' into ~/.openclaw/skills/ (writing into the agent skills directory). The package includes mission/mission-cli scripts that reference agent wallet and heartbeat behavior. While 'always' is false, the skill contains scripts and wrappers that, if installed/copied, will modify the user's ~/.openclaw/skills and write agent files — a legitimate feature but worth flagging because it changes your skills directory and can create dashboard tokens and agent wallets.