Skillv0.1.1

ClawScan security

world2agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code generally matches its stated purpose (managing W2A sensors) but the package metadata understates required tooling and the scripts perform privileged actions (global npm installs, service installation, config mutation) that warrant user review before installation.
Guidance: Before installing or invoking this skill, consider the following: (1) The scripts require jq, curl, and npm though the registry metadata doesn't list them — ensure those tools are installed and you understand that the skill will call them. (2) bootstrap.sh may auto-run `npm install -g @world2agent/openclaw-sensor-bridge` (global install) — review that package on the npm registry and prefer to run the install yourself (or run npm without -g) if you don't trust automatic global installs or don't want to use sudo. (3) Installing a sensor causes this tool to `npm install` arbitrary sensor packages from the public registry; those packages may run install/postinstall scripts. Only install sensors you trust and inspect their SETUP.md and package contents when possible. (4) The scripts will create/modify ~/.world2agent/* and may add fields to ~/.openclaw/openclaw.json (a backup is written before mutation); be prepared to review or restore the backup if needed and restart the gateway when prompted. (5) The scripts read ~/.openclaw/.env to auto-select a notification target (your messaging handles) — if you are concerned about data leaving your machine, review that behavior. (6) If you want to proceed, run the scripts manually (bootstrap.sh, read-setup.sh) in a shell to see exact prompts and outputs before letting an agent run them autonomously. If you need greater assurance, inspect the upstream @world2agent/openclaw-sensor-bridge package and any sensor packages you plan to use.

Review Dimensions

Purpose & Capability: concernThe skill is legitimately a manager for World2Agent sensors and its scripts implement that functionality (installing sensor npm packages, writing bridge state, mutating OpenClaw hooks, starting a supervisor). However the registry metadata declares no required binaries/env vars while the scripts require jq, curl, and npm (and rely on writable home filesystem and ability to create launchd/systemd user units). That mismatch between declared requirements and actual needs is an incoherence.
Instruction Scope: noteSKILL.md instructs the agent to run bundled shell scripts and parse their JSON output; the scripts do exactly that. The scripts read and write user config files (~/.world2agent/*, ~/.openclaw/openclaw.json), create backups, probe and nudge a local supervisor via HTTP, read ~/.openclaw/.env to pick a delivery channel, and may auto-install or start a user service. These behaviors are within the skill's stated scope but have side effects (global npm install requests, writing hooks into openclaw.json, starting background processes) that the user should explicitly authorize.
Install Mechanism: concernThere is no separate install spec, but the bundled scripts will auto-run npm to: (a) globally install @world2agent/openclaw-sensor-bridge if missing, and (b) fetch arbitrary sensor packages from the public npm registry. Using npm for these tasks is expected for this manager, but global npm installs and installing third-party packages carry notable risk (postinstall scripts, privilege escalation if sudo is used). The script does not fetch code from ad-hoc URLs, which lowers arbitrary-host risk, but auto-global installs remain sensitive.
Credentials: concernRegistry metadata lists no required environment variables, yet the scripts use/observe several env/config sources (OPENCLAW_HOME, WORLD2AGENT_HOME, OPENCLAW_GATEWAY_URL, NPM_DEBUG) and read ~/.openclaw/.env for platform channel handles. The skill also generates/writes control tokens and session key prefixes into ~/.world2agent and may mutate ~/.openclaw/openclaw.json. These are relevant to sensor management, but the absence of declared requirements is misleading and the scripts' access to local messaging handles and gateway hooks should be noted by users.
Persistence & Privilege: concernThe skill can create a long-running supervisor process, install per-user launchd/systemd units, and perform npm global installs (which may require elevated permissions). It does not declare always:true, nor does it modify other skills' configs, but it does request persistent presence and the ability to execute code fetched from npm, which increases the blast radius if a fetched package is malicious.