Skillv1.0.1

ClawScan security

OpenClaw Rescue Gateway Skill.md · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 5:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions are internally consistent with its stated purpose (setting up a separate OpenClaw Rescue Gateway), but they explicitly instruct copying credentials and disabling normal execution/audit protections — which is functionally coherent but security-sensitive.
Guidance: This skill does what it says: it shows how to run a separate OpenClaw Rescue Gateway and deliberately tells you to copy the main agent's auth profiles and to disable execution prompts and approval checks so the rescue agent runs unrestricted. That is coherent but risky: copying auth-profiles.json duplicates API keys (Anthropic, other providers) and giving the rescue gateway "full" exec and "approve-all" removes protections that would normally stop accidental or malicious code execution. Before installing/using: (1) inspect the auth-profiles.json being copied and verify you understand which provider keys will be duplicated; (2) if possible create a scoped/rescue-only Discord bot token and minimal provider credentials rather than copying production keys; (3) avoid or postpone setting tools.exec.security = "full" and plugins approve-all unless you explicitly need unattended full-exec behavior — prefer ask = "on" or more restrictive permissionMode; (4) test in an isolated account/container or with rotated tokens so compromise has limited impact; (5) keep backups and rotate credentials after testing. If you are not comfortable managing launchd/plist or handling secret files, do not apply these instructions blindly.
Findings: [regex-scan-none] expected: No code files or regex findings; this is expected because the skill is instruction-only (SKILL.md) and has no install spec for analysis. The primary security surface is the prose instructions.

Review Dimensions

Purpose & Capability: okName/description (Rescue Gateway) match the instructions: create a separate profile, launchd label, port, and agentDir for a rescue Discord bot. All recommended config edits, ports, and launchctl steps are directly relevant to that goal.
Instruction Scope: concernThe SKILL.md tells the operator to copy the main agent's auth-profiles.json into the rescue agentDir and to place bot tokens and gateway tokens into the rescue config. It also instructs setting tools.exec.security = "full", tools.exec.ask = "off", and plugins.entries.acpx.config.permissionMode = "approve-all". These steps go beyond innocuous config changes: they duplicate sensitive credentials and suppress execution/audit prompts, which materially increases risk even if necessary for an unattended rescue agent.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written by the skill itself. Risk from install mechanism is minimal.
Credentials: concernThe registry metadata lists no required env vars, but the instructions require setting environment variables and placing secrets (Discord bot token, rescue gateway token) into config files and copying auth-profiles.json (which may contain provider API keys). Requesting or directing duplication of those secrets is proportionate to running the rescue agent but increases credential exposure and blast radius; the skill does not declare or limit those secrets in metadata.
Persistence & Privilege: concernThe skill itself does not request permanent platform privileges (always:false). However it explicitly recommends configuration values that grant the rescue gateway broad runtime privileges (full exec, ask: off, approve-all). That is a deliberate privilege expansion for the rescue service and should be considered a high-risk, user-controlled change.