Skillv1.0.0

ClawScan security

Aionis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 10:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its stated purpose (connecting OpenClaw to Aionis), but there are packaging and metadata inconsistencies and a bootstrap script that will run a persistent local container and write runtime secrets — you should verify the GHCR image and the package before running the bootstrap.
Guidance: What to consider before installing/bootstrapping: - Metadata mismatch: the registry entry claims no required env vars or binaries, but SKILL.md requires AIONIS_BASE_URL and either AIONIS_API_KEY or AIONIS_AUTH_BEARER, and the bootstrap script requires docker, curl, and openssl. Treat the package as needing those tools and secrets even though they aren't declared in metadata. - Bootstrap behavior: the provided script will pull and run ghcr.io/cognary/aionis:standalone-v0.2.5, write .runtime/aionis.env and .runtime/clawbot.env (including generated ADMIN_TOKEN and memory API key), and create a persistent Docker container and volume. If you run it, do so in a controlled/sandboxed environment (not on a production host) until you trust the image. - Trust the image/source: inspect the GHCR image (repository, maintainer, and image digest) before pulling. If possible, pull and inspect the image locally, or run it in an isolated VM. Confirm the upstream project's repo and image provenance (cognary) match expectations. - Secrets handling: the script generates and writes API/admin tokens to files and suggests sourcing them; sourcing exposes secrets into your shell environment. Avoid automatic sourcing from untrusted packages and securely store or rotate any generated admin keys. - If you only need remote Aionis access (not local standalone), you can skip the bootstrap and point AIONIS_BASE_URL and the API key to an existing trusted endpoint. - Recommended immediate actions: verify the GHCR image (digest and upstream repo), review the container image contents if possible, run the bootstrap only in an isolated environment, and ensure the package metadata is corrected or clarified before using in sensitive environments.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and included files clearly implement an Aionis memory/policy loop (endpoints, request templates, and a local standalone bootstrap). However the registry metadata declares no required environment variables or binaries while SKILL.md requires AIONIS_BASE_URL and an auth key/bearer and the bootstrap script requires docker, curl, and openssl. That mismatch between declared metadata and actual requirements is an incoherence to be aware of.
Instruction Scope: okThe runtime instructions stay within the stated purpose: they describe health checks, memory write/assemble/select/feedback flows, and provide request templates. The only broader action is an explicit 'auto bootstrap' instruction that launches a local Aionis container; otherwise the skill does not instruct the agent to read unrelated system files or exfiltrate data.
Install Mechanism: noteThere is no formal install spec, but the provided bootstrap script pulls a container image from ghcr.io (ghcr.io/cognary/aionis:standalone-v0.2.5) and runs it with Docker. GHCR is a standard registry (better than arbitrary URLs), but pulling and running remote container images is a higher-risk action than an instruction-only skill. The script writes runtime env files and creates a persistent container/volume.
Credentials: concernThe env vars the skill needs (AIONIS_BASE_URL, AIONIS_API_KEY or AIONIS_AUTH_BEARER, optional tenant/scope and optional embedding provider keys) are appropriate for the stated purpose. But the package metadata did not declare these required credentials or the need for Docker/openssl/curl, which is a packaging inconsistency and can mislead users about what secrets or host capabilities will be used. The bootstrap also auto-generates ADMIN_TOKEN and memory API keys and writes them to .runtime files, which then are recommended to be sourced into shells.
Persistence & Privilege: noteThe bootstrap creates a Docker container with --restart unless-stopped and a named volume for persistent data; this is legitimate for a 'local standalone' mode but does create a persistent service on the host. The skill is not marked always:true and does not modify other skills, but running the bootstrap grants long-lived access to an additional local service and stores generated secrets on disk.