Skillv2.0.0

ClawScan security

Skill Security Audit Enhanced · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 3:52 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is internally coherent: a local Python-based skill-audit scanner with bundled IOC data and detectors that matches its description and does not request unrelated credentials or install external code.
Guidance: This skill appears consistent with its stated purpose (a local scanner). Before running it: review scripts/skill_audit.py and scripts/ioc_database.json yourself; prefer running scans targeted to specific skill folders (use --path) rather than broad system scans; do not run the scanner as root unless you understand why elevated access is needed; treat the scan output as potentially containing sensitive snippets (paths, lines) and handle evidence carefully; if you need stronger isolation, run it in a VM or container; verify the skill's provenance (author, repository) and consider comparing hashes of the shipped files if you retrieved them from a third party.

Review Dimensions

Purpose & Capability: okThe name/description (skill audit) match the included artifacts: a pure‑Python scanner (scripts/skill_audit.py), an IOC DB, and documentation of the 13 detectors. No unrelated environment variables, binaries, or install steps are requested. Minor inconsistency: some example commands in SKILL.md reference differing absolute paths (e.g., /root/.openclaw/... vs ~/.claude/...), but this is a documentation/path mismatch rather than a capability mismatch.
Instruction Scope: noteThe runtime instructions tell the agent to run the bundled scanner which auto-discovers and reads skill directories (e.g., ~/.claude, ~/.openclaw, /usr/local/lib/node_modules/openclaw/skills). This is expected for a scanner, but it means the tool will read many files under user/home skill locations and may surface sensitive lines (file paths, snippets). The SKILL.md also includes remediation commands (ps, lsof, crontab, moving files) — appropriate for incident response but they require care (permissions/privilege) and the documentation uses several absolute paths that are inconsistent.
Install Mechanism: noteThere is no install spec (instruction-only), and the scanner is pure stdlib Python bundled with the skill (no external downloads). That reduces supply-chain risk relative to remote installers. However, running the skill executes code shipped inside the skill bundle (scripts/skill_audit.py), so users should inspect that file before execution — this is normal for local tools but a point to be aware of.
Credentials: okThe skill declares no required environment variables or credentials. The scanner intentionally looks for indicators related to credentials and sensitive paths (e.g., ~/.ssh, ~/.aws) as part of detection, which is appropriate for its purpose; it does not request access tokens or external secrets in metadata.
Persistence & Privilege: okThe skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide agent settings. It can be invoked autonomously by the agent (platform default), which is expected for skills; this by itself is not a red flag here.