Skillv0.0.1

ClawScan security

agentauth · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 6:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (human biometric approval for sensitive actions) matches its instructions, but the runtime flow transmits full commands to a remote approval service and executes those commands if approved — a privacy/exfiltration risk that isn't fully explained in the metadata.
Guidance: This skill implements a useful human-in-the-loop approval flow, but there are important unanswered privacy and data-flow questions you should resolve before installing: - Inspect scripts/cli.cjs fully (it is included) to determine which remote domains/URLs it contacts and what exact data it transmits during 'auth-flow' and 'approval-flow'. The SKILL.md suggests it contacts agentauth.id — confirm that and examine how data is sent (HTTPS? what fields?). - Understand what is stored locally under ~/.agentauth (format, encryption, retention). The SKILL.md names this directory explicitly; make sure secrets/passkeys are protected and not world-readable. - Be aware that the approval workflow sends the full command that will be executed for review. That command might contain sensitive data (file paths, inline secrets, tokens). If you cannot accept that those commands might leave your machine, do not install or modify the workflow to sanitize commands. - Confirm notification mechanisms: if the CLI sends Slack/Telegram messages or uses webhooks, find out how credentials are supplied and stored. The skill declares no env vars for these, so the behavior may be interactive or rely on user-supplied webhook URLs; verify before use. - Consider running the CLI in an isolated/test environment first, or statically review or run it with network blocked to observe local behavior. Prefer self-hosting or audited alternatives if you need strong confidentiality guarantees. Because the code will execute arbitrary commands after human approval and transmits those commands for approval, this behavior is coherent with the stated goal but introduces non-trivial privacy/exfiltration risk that must be audited before use.

Review Dimensions

Purpose & Capability: noteName/description describe a local human-consent gate. The skill requires the OpenClaw binary and invokes a local CLI (scripts/cli.cjs) to implement approvals — this is consistent. However the README/SKILL.md say the CLI 'creates an approval session with agentauth' (homepage agentauth.id), which implies network interaction with an external service not surfaced in requires.env or install metadata.
Instruction Scope: concernThe SKILL.md instructs the agent to spawn a sub-agent that runs the included CLI and pass the full command-to-run (toolCall) and a display string to it. The CLI then creates an approval session (generates a URL, notifies the user) and — if approved — executes the original command. That means the exact command (potentially containing secrets) is transmitted to an external approval endpoint and stored/processed by the CLI/service. The SKILL.md does not document what data is transmitted, how long it is retained, or what remote domains are contacted. Transmitting arbitrary commands for approval is a material privacy/exfiltration risk and expands scope beyond purely local authorization.
Install Mechanism: noteNo registry install spec was provided and the skill includes a Node CLI script (scripts/cli.cjs) and npm-based README steps. There are no external downloads in the registry metadata. Running the provided npm scripts or the CLI will execute included JS code; the registry metadata does not declare any additional install steps. This is not inherently malicious, but since the CLI likely performs network calls and executes commands, users should inspect the script before running it.
Credentials: noteThe skill declares no required environment variables or credentials. Yet the SKILL.md/README mention sending notifications (Slack, Telegram) and creating approval sessions with 'agentauth' — which often requires API/webhook credentials. Those credentials are not declared. Also the skill will create/use a local ~/.agentauth directory (SKILL.md references it). The absence of declared env vars or explicit data-hosting details is a gap the user should verify.
Persistence & Privilege: noteThe skill is not force-installed (always:false) and uses sub-agents for approvals (normal). It appears to persist user registration and passkeys under ~/.agentauth; SKILL.md explicitly calls that directory out (and forbids other agents from modifying it). Storing passkey state locally is expected for this functionality, but the documentation does not explain encryption, access controls, or whether remote backups/telemetry occur.