Skillv1.0.1

ClawScan security

AgentRx · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 8:09 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims: it posts tool failure / preflight payloads to a remote recovery service and returns advisory instructions; its requirements and scripts are proportionate to that purpose, but it does transmit potentially sensitive payloads so operators must sanitize inputs and manage API keys carefully.
Guidance: This skill appears coherent with its stated purpose, but it sends error messages and intended/attempted payloads to a remote service you don't control. Before installing or using it: - Never send credentials, API keys, passwords, PII, payment data, or other secrets to AgentRx; sanitize inputs programmatically before calling the scripts. - Do not rely on the README's shared beta key in production; create a dedicated API key and rotate it regularly. - Verify the AGENTRX_BASE_URL you configure (don't blindly use the value in docs) and confirm the service's privacy/security policy and where logs are stored. - Restrict which workflows call AgentRx (avoid enabling it for tools that handle highly sensitive data). - Test first with non-sensitive data and monitor traces/logs referenced by trace_id for unexpected behaviour. - Treat AgentRx responses as advisory: keep the agent's hard-stop checks (HUMAN_HANDOFF, low confidence, writes/external transmissions) enforced. If you need a higher assurance level, ask the provider for an architecture/security whitepaper (where requests are logged, retention policy, who can access logs), or consider hosting an equivalent internal recovery service so payloads never leave your control.

Review Dimensions

Purpose & Capability: okName/description, required env vars (AGENTRX_API_KEY, AGENTRX_BASE_URL), and required binaries (curl, jq) align with the stated purpose of calling a remote recovery API. The included scripts and SKILL.md show only expected behavior for a recovery/preflight advisory service.
Instruction Scope: noteInstructions and scripts direct the agent to send agent_id, tool_name, error messages, and attempted/intended payloads to the remote API. That is consistent with the service, but it creates a real risk of leaking secrets or PII if the caller does not rigorously sanitize data. The SKILL.md explicitly warns to strip secrets, which mitigates but does not eliminate the risk; this is a usage policy concern rather than an incoherence.
Install Mechanism: okThis is an instruction-only skill with small helper scripts and no install spec that downloads third-party code. Nothing in the manifest indicates arbitrary downloads or obscure install sources.
Credentials: noteRequested environment variables are minimal and appropriate for a remote API integration. However, the README includes a plaintext 'beta' API key (beta_openclaw_try_agentrx_2026) and an email for requesting production keys; having a shared key in the package docs is potentially dangerous (encourages shared/overused credentials). Prefer a dedicated key per account and do not embed keys in repo files.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has normal autonomous-invocation defaults. It does not persist privileged system changes; its scope is limited to invoking remote endpoints.