This security-scan skill is mostly purpose-aligned, but it can inspect sensitive OpenClaw configuration and local skill files from broad trigger phrases and writes a report to a fixed workspace path without a clear opt-in step.
Review the trigger phrases before installing and use the skill only when you intentionally want an OpenClaw security audit. Expect it to inspect gateway, plugin, channel, skill, and credential-related locations, and treat any generated report as sensitive because it may reveal security posture or configuration weaknesses. Do not approve automatic fixes unless you understand the gateway configuration change and have a recovery plan.