Skillv1.1.0

ClawScan security

MFA WORD · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 3:58 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with an on-agent local MFA gatekeeper that stores hashes and audit logs in the user's home directory, but there are engineering and crypto weaknesses to review before trusting it.
Guidance: This skill is coherent with its stated purpose, but review these points before installing: - Local file writes: it stores a vault (hashed secrets) and an audit log in ~/.openclaw. Ensure you are comfortable with those files existing and set restrictive filesystem permissions (chmod 600) if you use it. - Crypto: secrets are hashed with plain SHA-256 without salt or a slow KDF; low-entropy secret words could be brute-forced if an attacker obtains mfa_vault.json. Consider using a stronger KDF (e.g., PBKDF2/scrypt/Argon2) or adding a per-user salt. - Agent-enforced-only: the skill relies on the agent to call its check/verify functions before performing sensitive actions. The skill cannot prevent other code from accessing files or running commands — it is a procedural gate, not a kernel-level enforcer. - Code quality: index.js mixes CommonJS require(...) with export const declarations which may cause runtime errors depending on how the platform loads modules; validate the module works in your agent environment. - Audit logs: logs contain action/result entries (no plaintext secrets) but may reveal usage patterns; consider rotating or protecting them. If you decide to use it: verify the module runs in your environment, harden vault/log permissions, consider improving the hashing method, and test reset and dead-man-switch behavior. If you need a stronger enforcement boundary, use a system-level access control mechanism rather than relying solely on an agent skill.

Review Dimensions

Purpose & Capability: okThe skill claims to gate access to sensitive actions using a secret word and an emergency reset word; the code implements local storage of hashed secrets, a session state, check/verify/reset functions, and audit logging under ~/.openclaw. The requested resources (no network, no external credentials) match the stated purpose.
Instruction Scope: noteSKILL.md instructs the agent to call check_gate_status/verify_access before performing sensitive actions — the code provides those functions. However, the skill cannot enforce checks on I/O or commands outside of agent cooperation; it relies on the agent following the protocol. Also SKILL.md mentions protecting .ssh in examples, but the default sensitive_list in code does not include '.ssh' (only .env, password, config, sudo).
Install Mechanism: okNo install spec or external downloads are present. The skill includes a local JS module only; nothing is pulled from the network or written to non-standard system locations beyond ~/.openclaw.
Credentials: okThe skill requests no environment variables or external credentials. It stores data locally in ~/.openclaw (vault and audit log) which is consistent with a local MFA gatekeeper. Note: file writes require filesystem permissions and the vault/log files should be protected by filesystem ACLs/permissions.
Persistence & Privilege: noteThe skill does create persistent artifacts (~/.openclaw/mfa_vault.json and ~/.openclaw/mfa_audit.log) and will append audit entries. It does not set always: true, does not modify other skills, and has no network persistence — but users should be aware that it writes persistent files to the home directory and that audit logs may reveal usage timing.