Skillv1.0.0

ClawScan security

Broedkrumme Kalibr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (capturing LLM telemetry, outcome reporting, and optional model routing) matches its description, but there are implementation and packaging inconsistencies and an incomplete/truncated source view that prevent full assurance.
Guidance: This plugin implements telemetry and optional model-routing and will contact a Kalibr service using the provided API key. Things to consider before installing: - Trust the backend: telemetry (model IDs, token counts, tool names, run IDs, timestamps, and possibly aggregated outcomes) will be sent to the Kalibr service at the configured apiUrl. Only install if you trust that endpoint and operator. - Missing dependency declaration: the code imports "@kalibr/sdk" but package.json has no dependencies. Ask the author how the SDK will be provided/installed; without the SDK the plugin may fail or the host may need to install it, which could pull code from npm at runtime. - Review full source: the provided index.ts listing is truncated. Request the complete index.ts (and the @kalibr/sdk source or documentation) so you can confirm exactly what fields are transmitted (e.g., whether prompts or assistant text are sent). The visible code records token counts and model/provider identifiers but not prompt text — verify the truncated portion to be sure. - Minimum privilege: use a Kalibr API key with limited scope where possible, and consider disabling enableRouting and captureLlmTelemetry if you only want outcome capture or want to avoid routing/parameter injection. - If you need higher assurance, request a signed/official release, dependency manifest that pins @kalibr/sdk to a trusted version, and a full code audit of the SDK or network calls the SDK performs.

Review Dimensions

Purpose & Capability: okThe plugin code implements telemetry capture, outcome reporting, and optional model-routing via a Kalibr SDK, which aligns with the skill name/description and the SKILL.md config (apiKey, apiUrl, enableRouting, capture* flags). Required credentials (an API key) are appropriate for a telemetry/analytics service.
Instruction Scope: noteSKILL.md and openclaw.plugin.json clearly ask for an API key and an apiUrl; the code registers hooks to record LLM inputs/outputs, tool calls, and to call Kalibr.decide() for routing. The visible code records model/provider, run IDs, timestamps, token counts and tool names (not the full prompt text); it also may send aggregated data to the Kalibr service via the dynamically imported SDK. The index.ts file in the bundle is truncated in the provided listing, so there may be additional data capture or transmission not visible here — that missing portion prevents a definitive assessment of exactly what is transmitted.
Install Mechanism: concernThis is an instruction-and-code skill with no install spec. The code dynamically imports "@kalibr/sdk", but package.json does not list any dependencies. That mismatch means the runtime will either need the SDK preinstalled in the host environment or the import will fail; it's also unclear how the SDK would be installed. Dynamic import of an external SDK is expected for this functionality but increases risk because the SDK may perform network calls; the lack of an install specification or dependency declaration is an incoherence and operational risk.
Credentials: okThe only sensitive configuration required is an API key for the Kalibr service (declared as required in openclaw.plugin.json). No unrelated environment variables, cloud credentials, or config paths are requested. That is proportionate to the described telemetry/routing purpose.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide privileges. It registers hooks for agent lifecycle events and keeps telemetry in in-memory structures with a short TTL; there is no evidence it modifies other skills' configs or writes persistent files. Autonomous invocation (disable-model-invocation: false) is the platform default and expected for this kind of plugin.