Back to skill
Skillv1.0.2
ClawScan security
Wolverine — Self-Healing Process Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 9, 2026, 2:32 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly matches its stated purpose (an AI-driven process healer) but it installs executable code from npm, will modify project files and the home directory, and the runtime instructions reference an extra API key (OPENAI_API_KEY) that isn’t declared — these mismatches and the high filesystem privilege warrant caution.
- Guidance
- This skill is plausible for self-healing OpenClaw but has real power (it edits code, runs commands, and installs an npm CLI). Before installing: 1) Verify the npm package and GitHub repo (publisher identity, recent commits, issues, and package contents). 2) Test in an isolated staging environment or container, not production. 3) Only provide the minimum API key needed (rotate keys and avoid sharing long-lived credentials). 4) Inspect or audit the installed package code (or pin to a vetted version) so you can confirm the claimed sandboxing, secret-redaction, and protected-path behavior. 5) Be aware SKILL.md references OPENAI_API_KEY even though it isn’t declared — ask the publisher whether that variable is required and what it’s used for. If you lack the ability to audit the package, treat this as higher risk and avoid deploying it against sensitive environments.
Review Dimensions
- Purpose & Capability
- okName/description (self-healing process manager using AI) aligns with required binaries (node/npm) and the declared primary credential (ANTHROPIC_API_KEY). Installing an npm package that provides command-line binaries (wolverine, wolverine-claw) is coherent with the stated goal.
- Instruction Scope
- concernSKILL.md instructs the agent to read project config (.openclaw/config.yml), create backups in ~/.wolverine-safe-backups, modify code (apply fixes), run npm install/chmod/kill, and probe boots. It also references an optional OPENAI_API_KEY for embeddings (not declared by the registry metadata). These instructions grant broad filesystem and process control beyond simple read-only monitoring; the skill claims protections (read-only framework dirs, sandbox, secret redactor), but those are assertions in prose and not enforced by the registry metadata.
- Install Mechanism
- noteInstall is an npm package (wolverine-ai) which is a common distribution for Node CLIs. That means arbitrary JS will be installed and run on the host — moderate risk and expected for this type of tool, but you should verify the npm package and its source (maintainer, releases, code) before installing.
- Credentials
- concernRegistry requires only ANTHROPIC_API_KEY (reasonable). However, SKILL.md also references OPENAI_API_KEY (optional) and expects secrets in .env.local. The skill has wide file-write capabilities (backups, code edits). Requesting an AI API key is expected, but the presence of additional environment variables in the runtime instructions that aren’t declared is an inconsistency and reduces transparency about what secrets the skill may use or need.
- Persistence & Privilege
- noteThe skill is not always-enabled and does not request elevated OpenClaw platform privileges in metadata, which is good. But it does install binaries and writes backups under the user home directory, and it will modify project files at runtime. Those are legitimate for a self-healing tool but increase blast radius — consider isolation (container/VM) and careful review before granting access to production workspaces.