Skillv1.0.5

ClawScan security

botlearn-healthcheck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 7:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (local OpenClaw health checks) matches most of what it does, but there are several inconsistencies and minor risks you should review before installing (missing referenced script, a few sloppy/inconsistent instructions, and broad local reads of config/log files).
Guidance: What to check before installing or running this skill: - Review the included scripts yourself (scripts/collect-*.sh and scripts/generate-report.sh). They will be executed locally and will read config files and logs. Ensure you trust the skill author and verify there are no unexpected network calls or hidden commands. - Note a missing/inconsistent reference: the docs and data_collect.md reference scripts/collect-tools.sh, but that script is not present in the provided file manifest. Expect runtime errors or incomplete collection unless that script is added or the references are updated. - The skill will read openclaw.json, cron tasks, HEARTBEAT.md and workspace identity files. Those files often contain API keys, tokens, or personal info. The skill states it will redact credential values before output, but reading them into the agent's context still exposes them to the agent process — only install/run if you trust the agent runtime and the skill code. - There are small documentation errors/typos (e.g., setup.md's curl check shows 'bash --version' for curl). These suggest the package was not carefully proofread; prefer to run the first check in a non-production environment or after backing up your OpenClaw config. - Fix workflow: the skill includes commands that can change or delete files (e.g., compress logs, remove old reports, pkill processes). According to flow_fix.md, fixes require your explicit confirmation — ensure the agent indeed prompts you and never auto-applies fixes without consent. - Operational recommendation: run the skill in 'targeted' mode first (e.g., 'check security' or 'check config') rather than a full run, and inspect the collected DATA.* outputs (or the scripts) to confirm behavior before permitting any fix operations. If you need higher assurance, manually run the collection scripts listed in the repo on a test instance to validate their outputs and redaction behavior.
Findings: [pre-scan-injection-none] expected: Static pre-scan detected no injection patterns. This is not proof of safety — the package includes many scripts and large SKILL.md instructions that should be manually reviewed. The lack of regex findings simply means no obvious known patterns were flagged by the scanner.

Review Dimensions

Purpose & Capability: noteName/description align with the actual behavior: the skill collects local OpenClaw status, config, logs and produces reports and optional fixes. Required binaries (node, bash, curl) and the choice of either clawhub or openclaw are coherent. Minor oddity: metadata lists OPENCLAW_HOME as the 'Primary credential' — that's a directory path, not a secret credential; this looks like a labeling/metadata error but not a direct security exploit.
Instruction Scope: concernThe SKILL.md and data collection spec instruct the agent to read many local files (openclaw.json, cron/*.json, workspace identity files, gateway.err.log tail, models.json, memory stats) and to run many CLI commands (openclaw health/doctor/cache, the included scripts). Reading openclaw.json and workspace identity files can surface API keys, tokens or PII; the skill claims to redact credential values and to treat identity content carefully, but the surface is broad. Also SKILL.md and flow_fix.md contain slightly inconsistent guidance (e.g., 'Never ask the human to execute commands' vs. 'Fixes require explicit user confirmation') — functionally consistent but wording could be confusing for an operator. Importantly, some referenced collection scripts (e.g., scripts/collect-tools.sh) are mentioned in documentation but are not present in the provided file manifest, which will likely cause failures at runtime.
Install Mechanism: okNo install spec / no external downloads — the skill is instruction-only and includes scripts in the package. That lowers install risk: nothing is pulled from arbitrary URLs during install. The presence of local scripts means code is provided with the skill; review those scripts before execution.
Credentials: noteThe skill does not request cloud credentials or unrelated secrets. It relies on OPENCLAW_HOME (a path) and local CLI tools, which is proportionate for a local healthcheck. However it will read configuration files (openclaw.json, cron tasks, models.json, workspace files) that commonly contain API keys or tokens — the skill's docs assert redaction before output, but reading these files into the agent context is necessary for its purpose and increases sensitive-data exposure risk. Also: metadata mislabels OPENCLAW_HOME as a 'primary credential' which may mislead less-technical users.
Persistence & Privilege: okalways:false and normal autonomous invocation behavior (disable-model-invocation:false) — standard. The skill does not request persistent platform-wide privileges. Fixes that modify system state require explicit user confirmation according to flow_fix.md. One point to watch: some fix cases contain destructive commands (rm, pkill, chmod); flow_fix.md says destructive or root-required fixes should be shown but not executed without explicit confirmation and user consent — verify the agent implements that gate correctly before permitting fixes.