Skillv1.0.0

ClawScan security

easy-openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions expect broad local access (OpenClaw configs, tokens, CLI tools) and to run remote API calls / upstream install steps, but the package metadata declares no required config paths or credentials — this mismatch needs careful review before installing.
Guidance: This skill is a detailed, opinionated OpenClaw configurator that will read and modify your OpenClaw configuration (~/.openclaw/*), extract and use channel credentials (Discord/Telegram/Feishu) from those files or by asking you, call external APIs (Discord, defuddle, r.jina.ai), install plugins/Skills, and restart the OpenClaw gateway. These capabilities are consistent with its stated goal, but the package metadata does not declare the config paths, binaries, or credentials it relies on — that's an inconsistency you should consider a warning sign. Before installing or running this skill: - Review the SKILL.md and the referenced files locally so you know exactly which commands it will run and which files it will modify. - Run it first in a non-production/test environment or snapshot your OpenClaw config and create an independent backup (do not rely solely on the skill's backup). - Confirm you are comfortable with it reading ~/.openclaw/openclaw.json and any channel tokens; provide pairing tokens only via private/direct channels and rotate tokens after testing if concerned. - If the skill proposes to run upstream install scripts or auto-install dependencies, inspect those upstream commands/URLs before consenting. - If you want tighter control, require the skill to provide the exact shell commands it will run and manually execute them yourself, or run the skill in a sandboxed VM/container. If you need, I can highlight the exact lines in SKILL.md that read tokens, call external endpoints, or run installs so you know where the risks are.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (configure/optimize OpenClaw) does legitimately require reading/writing OpenClaw config files, calling platform APIs (Discord/Feishu/Telegram), and installing Skills. However the registry metadata declares no required config paths, binaries, or credentials while the SKILL.md repeatedly assumes access to ~/.openclaw/openclaw.json, ~/.openclaw/workspace/, OpenClaw CLI, curl, jq, python3, docker, etc. That metadata/instruction mismatch is an incoherence — the skill will need more local access and tools than the metadata claims.
Instruction Scope: concernThe runtime instructions instruct the agent to read many local files (e.g., ~/.openclaw/openclaw.json, workspace, logs), extract tokens from config, call external APIs (Discord endpoints, defuddle, r.jina.ai), deep-merge config, write back settings, install plugins/skills, and perform gateway restarts. While most actions are relevant to configuring OpenClaw, some are high-sensitivity (reading tokens and calling platform APIs using those tokens). The SKILL.md also directs automatic token discovery and API calls (curl with Authorization headers) — this will access secrets without explicit upfront declaration in the metadata. The instructions do include sensible constraints (desensitize secrets in output, require user consent before automatic fixes), but they still grant the skill broad read/write and network capabilities.
Install Mechanism: noteThis is an instruction-only skill (no install spec). That reduces supply-chain risk from a downloaded binary, but the instructions tell the agent to follow upstream README install chains, run CLI installs (openclaw plugins install), and auto-complete dependency fixes (python/pip, possible Docker install if user consents). Executing upstream install steps or running commands that fetch remote scripts is expected for a configurator, but it increases operational risk — the skill may cause arbitrary code execution depending on the upstream install commands it chooses to run.
Credentials: concernThe SKILL.md reads and writes sensitive local configuration and secrets (Discord bot tokens, Feishu appSecret/appId, Telegram botToken, ~/.openclaw/openclaw.json) and will use them to contact external APIs. Those credentials are proportional to the stated purpose (channel onboarding), but they are not declared in the registry metadata (no required config paths / env vars). The mismatch between declared requirements and actual instructions is a red flag. Also, the skill suggests deep-merging configs and creating backups — operations that modify persistent sensitive state and warrant explicit user awareness.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable; it will, however, write into OpenClaw config files, install/enabled plugins, create backups, and perform a single gateway restart as part of its normal flow. Those privileges are consistent with a configuration helper, but they are high-impact (modifying persistent system/service state). The SKILL.md contains explicit rules to avoid overwriting user configs and to require confirmation, which helps, but users should treat these operations as privileged and verify steps before allowing execution.