ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawdscan

v0.3.0

Diagnose Clawdbot/OpenClaw health — session bloat, zombies, stale files, AND skill dependency validation. Zero dependencies, single Python file.

0· 1.1k·0 current·0 all-time
by@cheenu1092-oss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the provided code and docs: a single-file Python CLI that scans Clawdbot/OpenClaw JSONL session files for bloat, zombies, staleness and can recommend or perform cleanup. Requested binary (python3) is appropriate and proportionate.
Instruction Scope
SKILL.md and companion docs instruct the agent to read session files under the user's Clawdbot directories (default ~/.clawdbot / ~/.openclaw), produce JSON reports, and — when asked — archive/delete sessions. This is consistent with the stated purpose, but the instructions also include automated heartbeat/cron integration examples and examples that run cleanup automatically. The docs include examples for sending notifications (webhook/curl) and subprocess usage for heartbeat; those are optional but widen the action surface beyond passive analysis.
Install Mechanism
There is no network install step or external download in the registry metadata; the package ships as code (clawdscan.py) and has no install spec. This is low-risk from an installation perspective (no remote extraction/third-party package pulls).
Credentials
The registry required-env list is empty (no secrets requested), which fits the tool's offline file-analysis purpose. However SKILL.md/README/heartbeat docs reference multiple environment variables (CLAWDBOT_DIR, NO_COLOR, CLAWDSCAN_AUTO_CLEANUP, CLAWDSCAN_PATH, etc.) and the TASK.md suggests writing history to ~/.clawdbot/clawdscan-history.json. Those env vars are not secrets but they do control behavior (including auto-cleanup). No credentials or unrelated service tokens are requested.
!
Persistence & Privilege
The tool can create history files in the home directory and perform destructive actions (clean --execute deletes/archives sessions). The bundled skill.json declares a heartbeat block with enabled: true and a 6h interval, which implies the skill requests periodic/automated execution. Combined with the cleanup capability (and the provided heartbeat auto-cleanup example), this increases operational risk if auto-cleanup is enabled accidentally. By default auto-cleanup is off, but installing and enabling the skill could allow recurring scans and potential deletions if environment/configuration toggles are set later.
What to consider before installing
What to check before installing: - Review the clawdscan.py source yourself (it's included). The tool reads session JSONL files under ~/.clawdbot and related dirs and can delete/archive sessions when run with --execute. - Default behavior is a preview (non-destructive), but the heartbeat/cron examples and skill.json include an auto-run/heartbeat config. Confirm how your platform handles the skill.json heartbeat block (does installing automatically schedule periodic runs?). - Do NOT enable automatic cleanup (CLAWDSCAN_AUTO_CLEANUP=true) until you have run several scans and validated the deletion behavior in a safe environment. - If you plan to run it on production data, take backups of your sessions first. Test cleanup in a staging environment and inspect the 'would remove' preview output carefully. - Expect the tool to write history/metadata files to your home (~/.clawdbot or ~/.clawdscanrc) if you enable history saving; if you prefer no persistence, run scans without --save-history or change paths in the config. - If you are concerned about network notifications, check any webhook/curl examples — they are optional and not required, but review any automation that posts scan results externally. Summary recommendation: the skill is broadly coherent with its stated purpose, but because it requests periodic execution and can perform destructive cleanup, treat it cautiously: audit the code, run in dry-run mode, and verify heartbeat/auto-cleanup settings before enabling automated runs.

Like a lobster shell, security has layers — review code before you run it.

electron-essentialvk974ydmgssv92fh8rpdkbbnjvd80ts8rlatestvk9771nd27fr132nk5tvtwbectx8102yd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython3

Comments