Skillv1.0.0

ClawScan security

skill-security-scanner-clean · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 1:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a self-contained static security scanner whose code, instructions, and resource requirements are consistent with its stated purpose; no disproportionate privileges or hidden network behavior were found, though some detection rules are broad and may produce false positives and the tool will write a report file into the scanned skill directory.
Guidance: This skill appears to do what it says: a local static scanner for OpenClaw skills. Before installing or relying on it, consider the following: 1) Source provenance: the package has no homepage and the owner is unknown — review the code yourself or prefer a scanner from a trusted, verifiable source. 2) False positives: some detection rules are broad (flags for common hosts, IPs, or large/minified files); treat 'WARNING'/'REVIEW' results as prompts for manual inspection rather than automatic rejection. 3) Artifacts: the install guard saves a .security_scan_report.json inside the scanned skill directory — ensure you are comfortable with that artifact being created. 4) Safe testing: run the scanner on known-good and known-bad samples in an isolated environment to validate its behavior and tune expectations (or strict mode). 5) If you plan to integrate this into automation, review the scoring/verdict thresholds in references/rules-reference.md and consider whitelisting legitimate patterns to reduce noise.

Review Dimensions

Purpose & Capability: okName/description match the included files: SKILL.md, scripts/security_scanner.py, and an install guard. The scanner implements pattern-based detection for eval/exec, network calls, file ops, env access, obfuscation, etc., which is appropriate for a security scanner. No unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteSKILL.md and scripts instruct the agent/human to run the scanner against a skill directory and to incorporate it into install workflows. That is within scope. Notes: (1) Detection rules explicitly flag some legitimate hosting services and IP literals (e.g., gist.github.com, drive.google.com, dropbox.com, raw IPs), which is an overbroad heuristic that will cause false positives in otherwise legitimate skills. (2) Some regexes (e.g., obfuscation patterns) are coarse and may trigger on large/minified legitimate files. (3) The install_guard will save a .security_scan_report.json into the scanned skill directory (which is useful but adds an artifact to the scanned path).
Install Mechanism: okThere is no install spec; this is effectively an instruction + code bundle. No remote downloads, package managers, or archive extractions are performed by the skill itself. Code files are present in the package and executed locally; that is expected for this tool.
Credentials: okThe skill declares no required environment variables, no credentials, and no privileged config paths. The scanner code does look for environment-accessing patterns in scanned code (appropriate for its purpose) but does not itself attempt to read the host environment or request secrets.
Persistence & Privilege: noteThe skill does not request permanent 'always' presence and uses normal model invocation. It will write a .security_scan_report.json into the scanned skill directory when run via the install_guard, which is reasonable for an audit tool but worth knowing (artifact persistence). It does not modify other skills' configs or system-wide settings.