Skillv1.0.0

ClawScan security

CodeSmith · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 11:03 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package's files and runtime instructions match its stated purpose (a senior coding agent configuration), but the metadata under-declares what it needs and there are several scope/credential mismatches you should review before applying it.
Guidance: This package appears to be a legitimate mentoring/automation configuration for coding agents, but it under-declares important operational requirements. Before applying: - Do not assume the registry metadata lists everything: the docs expect the 'gh' CLI, ACP enabled, and tokens like VERCEL_TOKEN for API deploys. Provide those only if you understand the risk. - Back up ~/.openclaw/workspace/AGENTS.md and ~/.openclaw/cron/jobs.json (the package itself recommends this). Validate diffs before accepting any changes. - Start with the recommended gradual rollout: enable only the morning brief cron first and verify outputs, then add others one at a time. - Confirm how your platform supplies channel delivery credentials; verify the skill will not be able to post to external channels without your explicit config. - Test LOCKDOWN.md behavior on a safe dev agent: create the LOCKDOWN file and confirm scheduled sessions halt and post the expected message. - Review any example curl/command snippets before running them: they reference environment variables (e.g., $VERCEL_TOKEN) that you must provision securely; avoid pasting tokens into chat or unreviewed scripts. - If you want stronger assurances, ask the publisher (or inspect the package source repository) for a declared list of required env vars and an explicit checklist of what gets written during setup. Confidence note: high confidence this package is coherent with its stated purpose, but suspicious because of the mismatch between declared requirements and the actual runtime guidance (credentials, binaries, cron/network interactions).

Review Dimensions

Purpose & Capability: noteThe name/description (senior engineering agent, CI/CD, GitHub workflows, ACP dispatch, cron jobs) align with the content of SKILL.md and the included docs. However the package references external services and tools (GitHub CLI 'gh', Vercel API using $VERCEL_TOKEN, ACP/codex dispatch, messaging channel delivery) that the registry metadata does not declare as required. That mismatch is disproportionate: a CI/CD/dispatch mentor legitimately needs those tools/credentials, but the skill's declared requirements list none.
Instruction Scope: concernThe instructions read and write files under ~/.openclaw/workspace and memory/*, install/merge AGENTS.md, create cron jobs, and instruct the agent to dispatch sub-agents via ACP. The package also includes concrete curl examples that use $VERCEL_TOKEN and recommends use of the 'gh' CLI. While many of these actions are coherent with the package purpose, they expand the agent's scope into: reading many local config files, adding cron jobs that run autonomous agent sessions, and performing network calls to GitHub/Vercel. The SKILL metadata does not list these file/network interactions or required env vars. The instructions claim explicit approval is required before writes/cron modifications, but the runtime payloads and setup guide include shell commands (cp, git config, curl examples) that—if executed—modify local config and could be used to trigger network actions.
Install Mechanism: okThere is no install spec and no code to fetch — this is instruction-only, which is lower-risk from an installation/downloading perspective. All behavior comes from the provided guidance and cron payloads rather than installed binaries.
Credentials: concernRegistry metadata claims no required env vars or binaries, but the package repeatedly assumes: a configured 'gh' CLI, a VERCEL_TOKEN (or equivalent) for API deploys, ACP enabled and an agentId for sub-agent dispatch, and a messaging channel ID/credentials for delivery. Those credentials/binaries are proportional to a CI/CD/dispatch mentor, but the skill should have declared them (primaryEnv, required envs, and required binaries). The absence of declared credential requirements is an incoherence that could cause unexpected prompts for tokens or accidental exposure if a user follows examples verbatim.
Persistence & Privilege: notealways:false (no forced inclusion) and model invocation is allowed (default). The package instructs writing config and cron entries but repeatedly emphasizes explicit approval before writing. Cron jobs it proposes are powerful (they run autonomous agent sessions on a schedule). Combined with the package's autonomy guidance, crons + ACP dispatch create a non-trivial operational footprint — this is expected for its purpose, but you should follow the package's one-at-a-time adoption guidance and ensure LOCKDOWN.md behavior is tested before enabling crons. No evidence the package tries to modify other skills or request permanent always:true privileges.