Skillv1.0.0

ClawScan security

openclaw-cleaner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 7:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill implements broad workspace file scanning, snapshotting, and deletion behavior and explicitly allows AI-driven actions without user confirmation — this is coherent with a 'cleaner' but gives an agent powerful read/write/delete capabilities over your project files and could be dangerous if invoked automatically.
Guidance: This skill appears to be a coherent project cleaner but gives an agent wide ability to read all files in your workspace, record file contents into snapshots, and perform deletions without requiring user confirmation. Before installing: 1) Do not run on a workspace that contains secrets or sensitive production data; test in an isolated repo or VM. 2) Inspect the full SKILL.md code yourself (or have someone you trust review it) to confirm what 'remove' operations do and whether there are safeguards. 3) Require manual confirmation for destructive actions — do not allow autonomous invocation to delete files. 4) Backup important data outside the project (separate storage) before use. 5) Consider restricting the skill's runtime permissions or path scope so it cannot traverse outside an allowed directory. If you need safer defaults, ask the author to add explicit confirmation prompts and scope limits (e.g., whitelist directories, skip files with sensitive extensions).

Review Dimensions

Purpose & Capability: noteThe name/description (project cleaner: snapshots, diff, checkpoints, optimize) match the instructions and the embedded JavaScript implementation: it scans the workspace, records file contents and hashes, writes snapshots under .cleaner-backups, and exposes compare/restore/remove-like operations. That capability set is consistent with a cleaner tool, but the implementation is broad (reads file contents and writes backups) and examples reference removing skills ('skills.remove'), which may have wide effects depending on the agent runtime.
Instruction Scope: concernSKILL.md contains runtime instructions plus a full JS implementation that recursively reads most files in the workspace (reading file contents, computing hashes), creates snapshots containing file content, and exposes operations that perform deletions/changes. The header explicitly says 'AI 可在执行任务时直接调用，无需用户确认' (AI may call directly without user confirmation). Reading and persisting full file contents and allowing deletion without confirmation grants broad access to potentially sensitive files (.env, keys, credentials) and can cause irreversible changes if invoked autonomously.
Install Mechanism: okNo install spec and no code files outside SKILL.md — the skill is instruction-only. That lowers supply-chain risk because nothing external is downloaded or executed during install. However, the SKILL.md itself contains executable code the agent is expected to use at runtime.
Credentials: noteThe skill requests no environment variables or credentials (proportionate). However, it performs filesystem access across the workspace and stores file contents in snapshot files under .cleaner-backups. Even though no external credentials are requested, the file I/O behavior can expose local secrets stored in the workspace — this is a privacy/privilege concern even without env credentials.
Persistence & Privilege: concernThe skill does not set always:true (good) but the SKILL.md explicitly permits autonomous AI invocation without user confirmation and provides code that deletes/changes files. Autonomous invocation combined with delete/write capability increases risk. The skill writes its backups under the project ('.cleaner-backups') which is reasonable scope, but there is no mechanism described to require explicit user consent prior to destructive actions.