Skillv2.0.1

ClawScan security

Skill Safe Install · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 7:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely coherent with its stated purpose (scanning skills with ThreatBook and a local vetter) but contains behaviors and instructions that increase privacy/exfiltration risk and a few operational inconsistencies that you should review before installing.
Guidance: This skill appears to do what it says (local vetting + ClawHub rating + ThreatBook sandbox), but it will package and upload entire skill code to a third‑party service. Before installing, consider: 1) Do not alias/overwrite your `clawhub` command system-wide until you’ve tested the script — that alias would make every install automatically upload code to ThreatBook. 2) Review scripts/safe-install.mjs yourself to confirm exactly what is uploaded and whether temporary directories are cleaned. 3) Be careful about placing sensitive or proprietary skills behind this flow; the tool warns not to upload secrets, but it is your responsibility to prevent that. 4) The README suggests echoing the API key into ~/.openclaw/.env — ensure your runtime actually loads that file or export the env var in your shell/CI so the script can authenticate. 5) Use --dry-run first and run the tool in a controlled environment (non-prod user) to observe behavior. If you must use it in CI, restrict the scanned artifacts to non-sensitive samples or ensure ThreatBook usage complies with your privacy policies.

Review Dimensions

Purpose & Capability: okName/description match what the package does: it vetts skill code, queries ClawHub for ratings, and uploads a packaged skill to ThreatBook for sandboxing. Required binaries (node, curl, tar, zip) and THREATBOOK_API_KEY are appropriate for the documented functionality.
Instruction Scope: concernThe runtime instructions and the included script download the target skill via `clawhub install`, scan files locally, then package and upload the skill to the external ThreatBook sandbox. That behavior can leak entire skill source trees (possibly containing sensitive code or secrets). The README suggests aliasing/wrapping `clawhub install` in your shell to force-check every install, which would cause automatic uploads of all skills to the third-party sandbox. The SKILL.md also instructs writing the API key to ~/.openclaw/.env (which is not the same as exporting an env var), a potential operational mismatch.
Install Mechanism: noteThere is no remote install step — the script is included in the skill bundle (scripts/safe-install.mjs), so nothing is fetched/installed from arbitrary URLs at install time. The script uses child_process/execSync to run clawhub and other shell commands, which is expected for a wrapper tool but increases runtime risk if invoked with elevated privileges or used as an automatic wrapper.
Credentials: concernThe only required env var is THREATBOOK_API_KEY (primary credential), which is justified for uploading files to ThreatBook. However: 1) Uploading skill archives to a third-party sandbox will transmit potentially sensitive code/data. 2) The README suggests storing the key in ~/.openclaw/.env rather than exporting it; unless your runtime sources that file, the script may not see the key. 3) The script runs `clawhub` commands which may require ClawHub credentials (CLAWHUB_TOKEN) in some environments—this token is mentioned only as optional in docs, but failure to authenticate could change behavior. These are proportional to the stated purpose but present privacy/operational concerns.
Persistence & Privilege: noteThe skill does not set always:true and does not auto-enable itself. However, SKILL.md recommends adding an alias/function to ~/.bashrc that overrides `clawhub` to route installs through this tool; if a user follows that, it effectively forces the tool into all install workflows and increases its blast radius. The skill itself does not automatically persist or modify other skills' configs, but the recommended integration pattern can create persistent, automatic behavior.