Tide Watch
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tide-watch Version: 1.3.6 The OpenClaw Tide Watch skill is classified as benign. While a critical shell injection vulnerability (CVE-2026-001) was present in version 1.0.0 within `lib/resumption.js`, it was promptly disclosed and fixed in version 1.0.1 by replacing `execSync` with `spawnSync` and `shell: false`, effectively mitigating the RCE risk. The skill explicitly states 'Network Activity: NONE' in `SKILL.md` and `CLAWHUB-SCANNER-RESPONSE.md`, which is confirmed by code review. All file system operations (reading OpenClaw session files, writing resumption prompts, archiving sessions) are local, confined to user-owned OpenClaw directories, and directly aligned with the stated purpose of session capacity monitoring and management. Calls to `child_process.exec` or `execSync` for `openclaw models list` and `openclaw gateway status` are hardcoded and do not incorporate user input, preventing injection. The markdown instructions in `SKILL.md` and other documentation are transparent, guide the AI agent to use its own tools, and do not instruct it to perform malicious actions or exfiltrate data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the optional CLI is installed, it can execute local commands and depends on the trusted `openclaw` binary on the user's PATH.
The optional CLI executes a local OpenClaw command to determine model context limits. The command is fixed and purpose-aligned, but shell execution is a capability users should notice.
const output = execSync('openclaw models list', {Install only from a trusted source, inspect the CLI before `npm link`, and ensure the `openclaw` command on PATH is the expected one.
Running the command would delete all stored Tide Watch/OpenClaw session backups in that directory.
The documentation contains a recursive deletion command for the skill's backup directory. It is scoped, but it can permanently remove local session backups.
rm -rf ~/.openclaw/agents/main/sessions/backups/
Run cleanup commands manually only after listing the directory and confirming you no longer need the backups.
Local conversation history may be copied, archived, or used to shape a resumed session; tampered resume prompts could influence later agent behavior.
OpenClaw session files, backups, and resumption prompts can contain conversation context that may be persisted and reused across future sessions.
**File Access:** Direct read/write to `~/.openclaw/agents/main/sessions/`
Review resume prompts and backup/archive directories periodically, keep filesystem permissions tight, and disable automatic backup/resumption behavior if it is not wanted.
Manual setup may fail or users may need to locate files outside the reviewed package.
The directives-only setup references template files, while the supplied file manifest does not list AGENTS.md.template or HEARTBEAT.md.template, so that installation path cannot be fully verified from the provided artifacts.
cat skills/tide-watch/AGENTS.md.template >> AGENTS.md
Verify the installed package includes the referenced templates before copying directives into AGENTS.md or HEARTBEAT.md.
A user reading only the assurance document might miss that the optional CLI does execute local processes.
This older assurance text conflicts with the supplied static scan evidence showing `execSync` and `spawnSync`. The primary SKILL.md does disclose optional CLI code execution, but this stale wording could understate what users should review.
Red flags to watch for (none present): - Child process execution (child_process, exec, spawn)
Rely on the current source and scan results rather than older assurance text, and update the documentation to match the current implementation.