Back to skill
Skillv5.2.0
ClawScan security
Even G2 Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 8, 2026, 3:19 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it says (Cloudflare Worker bridges G2 → OpenClaw) but there are clear inconsistencies around declared requirements, authentication behavior, and an oddly-required fallback API key that make the package suspicious until those are clarified.
- Guidance
- Before installing or deploying: - Treat the registry metadata as incomplete: SKILL.md and worker.js require secrets (GATEWAY_URL, GATEWAY_TOKEN, G2_TOKEN, ANTHROPIC_API_KEY) even though the registry entry lists none. Confirm the seller/author and correct metadata before proceeding. - Do not deploy the Worker without setting G2_TOKEN. The code will only enforce request auth if G2_TOKEN is present; leaving it unset could let anyone call your worker which (if GATEWAY_TOKEN is set) will forward requests to your Gateway. Always set a G2_TOKEN and a scoped GATEWAY_TOKEN. - Review why ANTHROPIC_API_KEY is marked required in SKILL.md: it is used as a fallback when the Gateway is unreachable and could reasonably be optional. If you don't want third-party fallbacks, omit/clear that secret and adjust the code. - Use a least-privilege Gateway token (scoped, limited TTL) for the Worker; verify the Worker never returns or leaks GATEWAY_TOKEN in responses/logs. - If you enable image or Telegram features, be aware those services will receive user content (OpenAI, Telegram). Confirm you accept that behavior and that privacy policies are appropriate. - Confirm the author/source (SKILL.md claims a GitHub repo). If the repository is available, review it and compare versions. If the source is unknown, treat the skill as higher risk. If these issues (metadata mismatch, mandatory Anthropic key, auth-enforcement behavior) are clarified and fixed, the skill's behavior is coherent for its purpose; until then, consider this suspicious and proceed cautiously.
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md align with the stated purpose: a Cloudflare Worker proxies G2 requests to an OpenClaw Gateway and optionally calls Anthropic, OpenAI, and Telegram. However registry metadata lists no required environment variables or binaries while SKILL.md and worker.js require several secrets (GATEWAY_URL, GATEWAY_TOKEN, G2_TOKEN, ANTHROPIC_API_KEY, etc.). That mismatch between registry metadata and the skill's own instructions is incoherent and should be corrected.
- Instruction Scope
- noteSKILL.md instructions are specific and limited to deploying a Cloudflare Worker, setting worker secrets, and configuring the OpenClaw Gateway and G2 app. The instructions direct traffic only to the Gateway, Anthropic, OpenAI, and Telegram — all services documented in the skill. A minor scope discrepancy: SKILL.md instructs installing and using the 'wrangler' CLI (npm), but the registry metadata does not declare any required binaries.
- Install Mechanism
- okThis is an instruction-only skill with an included worker.js file (no install spec). There are no downloads from arbitrary URLs or obscure installers. The explicit instruction to npm install -g wrangler is reasonable for deploying Cloudflare Workers but should have been declared as an expected binary in the registry metadata.
- Credentials
- concernThe worker expects several secrets appropriate for its function (gateway URL/token, G2_TOKEN, optional Telegram/OpenAI). Two issues raise concern: (1) SKILL.md marks ANTHROPIC_API_KEY as required even though it is only a fallback — requiring a third-party API key for basic operation is disproportionate; (2) the code enforces G2 authentication only if env.G2_TOKEN is present (it checks 'if (env.G2_TOKEN) { require auth }'), meaning a deployed worker without G2_TOKEN would accept unauthenticated requests and simply forward them to the Gateway (if gateway token present). Combined with the registry metadata claiming no required env vars, this creates potential for misconfiguration and unintended exposure.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent system-wide privileges. It uses Cloudflare Worker background tasks (ctx.waitUntil) for long work, which is normal. It does not attempt to modify other skills or agent config files.