Skillv1.0.0

ClawScan security

Incident Response · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 4:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requested permissions are generally coherent with incident response, but there are a few mismatches and operational risks (OS/command mismatches, implicit external/reporting hooks, and powerful write/restart actions) that you should review before installing or running it in production.
Guidance: This skill is coherent with its stated purpose (incident response) but carries high operational power. Before installing or running it: 1) Verify the target host OS and adjust commands (launchctl is macOS; on Linux you may need systemctl). 2) Only grant exec/SSH and filesystem access to trusted agents — the skill reads session logs and config backups and can restart services and commit config changes. 3) Test the workflow in a staging environment first (especially restore/merge and cron templates). 4) Confirm how reporting is configured: replace sessions_send(sessionKey='<your-session-key>') placeholders with a safe, internal reporting channel — avoid sending sensitive outputs to external endpoints. 5) Ensure backups are taken before applying the restore/merge steps and that git commits and chmod changes are reviewed. 6) If you rely on DeepWiki or other helper scripts referenced in prevention patterns, install and validate those tools separately. If you want, I can list the exact lines/commands that will modify files or restart services so you can review them one-by-one.

Review Dimensions

Purpose & Capability: noteThe name/description (incident response for OpenClaw) matches the declared permissions and the runnable commands: SSH, git, python3, read config backups, restart gateway, and add prevention rules. That said, there is a notable mismatch: skill.yml declares runtime: linux but many runtime commands use macOS's launchctl (launchctl stop/start ai.openclaw.gateway). This OS mismatch could lead to confusing or harmful behavior if run on the wrong platform. The prevention patterns also reference a DeepWiki helper (~/.openclaw/skills/deepwiki/scripts/deepwiki.sh) which is assumed present but not declared as a dependency.
Instruction Scope: noteSKILL.md instructs the agent to run many sensitive operations (SSH into hosts, read session JSONL logs that may contain user messages or secrets, edit config files, git commit, change file permissions, and restart services). Those actions are appropriate for incident response, but the instructions also include placeholders and templates that could be misused if not filled carefully (e.g., sessions_send(sessionKey='<your-session-key>'), ssh "<remote-host>"). The skill requires reading and sometimes writing sensitive local files (config backups, session logs) — this is within scope but high-privilege. The file-read/write recommendations are explicit and not covert.
Install Mechanism: okThere is no install spec and no code files that execute on install; this is an instruction-only skill. That minimizes install-time risk because nothing is downloaded or written automatically.
Credentials: okThe skill does not request environment variables or external credentials. It does require exec/SSH access and filesystem read/write permissions which are appropriate for an on-host incident response tool. Ensure the agent invoking this skill has only the required host access (least privilege).
Persistence & Privilege: okalways:false and background_eligible:false; the skill is user-invocable and will not be force-included in every agent run. It will create/commit prevention rules and schedule cron jobs as part of normal operations (documented), which is expected for a remediation workflow.