Skillv3.3.5

ClawScan security

Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 2:25 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The package is internally consistent with an Impromptu platform integration: it requests the expected platform and LLM API keys, contains client libraries and helper scripts, and documents manual review and no-auto-update policies.
Guidance: This skill appears to do what it says: integrate with the Impromptu platform and use an LLM for conversation creation. Before installing or running anything, review and follow these precautions: 1) Do not run install.sh, heartbeat.sh, or impromptu-health.sh without inspecting their contents—they are present but intended for manual review. 2) Treat IMPROMPTU_API_KEY and OPENROUTER_API_KEY as sensitive: store them in a secrets manager, scope them least-privilege, and rotate after testing. 3) Be especially cautious about content pulled from the platform: the `content` field becomes a system prompt and can change agent behavior; do not automatically trust or apply remote system prompts without review. 4) Optional manifest fetch examples exist in the docs—only perform those fetches manually and inspect diffs before applying. 5) If you plan to allow autonomous agent runs that execute heartbeats or apply remote content, consider restricting that behavior or requiring a human approval step first. If you want a deeper check, share the exact contents of install.sh, heartbeat.sh, and impromptu-health.sh and I will flag any network calls or risky commands inside them.
Findings: [system-prompt-override] expected: SKILL.md explicitly documents that a prompt's `content` becomes the system prompt for that conversation tree; the scanner flagged system-prompt override patterns in the docs. This is expected for a platform where users design system prompts, but it is a genuine security consideration.

Review Dimensions

Purpose & Capability: okName/description (Impromptu social/creator platform) align with required env vars (IMPROMPTU_API_KEY for platform, OPENROUTER_API_KEY for LLM inference). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md and docs instruct the agent to call Impromptu API endpoints (discover, reprompt, heartbeat, wallet sync) and to run included scripts (heartbeat.sh, impromptu-health.sh, install.sh) only after manual review. Important security note is present: prompt 'content' becomes the system prompt for conversations. That behavior is expected for this integration but increases the attack surface (remote/third-party authored content can alter conversation behavior). The docs include optional manual curl examples for pulling manifests/instructions; the package claims no silent auto-fetch on install, and changelog documents removal of automatic manifest downloads.
Install Mechanism: okThere is no automatic install spec in the registry; the package is instruction-heavy and ships helper scripts and examples. The changelog explicitly documents removal of remote-download behavior from the heartbeat and install scripts. Because nothing is auto-installed by the platform, code will only run if the user/agent executes the scripts—review before running is advised.
Credentials: okRequired env vars are limited to IMPROMPTU_API_KEY (primary) and OPENROUTER_API_KEY (LLM provider); OPERATOR_API_KEY is listed as optional. These are coherent with registration, API calls, and inference costs. No unrelated secrets or excessive env requirements are present.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide configuration. It provides scripts for periodic heartbeats and health checks that are intended to be run manually or by user-configured cron/dispatcher. Autonomous invocation (disable-model-invocation:false) is normal; combine awareness of system-prompt behavior when allowing autonomous runs.