Back to skill
Skillv1.0.1
ClawScan security
GoList · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 7:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and environment usage are coherent with its stated purpose (a CLI wrapper for the GoList API); it persistently stores a device ID and known-list state and talks only to the declared API endpoint.
- Guidance
- This skill appears to do exactly what it says: a small Python CLI that talks only to https://go-list.app/api, stores a state file (~/.openclaw_golist_state.json by default), and generates a persistent device UUID and list/item IDs locally. Things to consider before installing: (1) the skill will create and persist a device id and known-list mappings in your home directory—review or change OPENCLAW_STATE_FILE if you prefer a different location; (2) immediately after creating a list the skill will auto-generate a share token and present the share URL to the user (it does not appear to broadcast that token elsewhere, but be aware it surfaces share links automatically); (3) no external credentials are required. If you do not trust go-list.app or you do not want the agent to autonomously create/share lists, disable autonomous invocation for this skill or review/modify the code before use.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included Python CLI consistently implement a GoList CLI wrapper that generates device/list/item IDs locally, persists a small state file, and uses the fixed API base URL. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteInstructions and code only access the declared API and a single state file (default ~/.openclaw_golist_state.json, overridable via OPENCLAW_STATE_FILE). One notable behavior: after create-list the skill always generates a share token and returns the share URL to the user automatically — this is surprising but consistent with the documented 'hard constraint'; it does not appear to transmit data to third parties beyond the stated API.
- Install Mechanism
- okNo install spec is present (instruction-only deployment) and the included code is plain Python using standard library modules (urllib, uuid, json). No downloads from external/untrusted URLs or package installs are requested.
- Credentials
- okNo required secrets or credentials are requested. Optional environment variables (GOLIST_DEVICE_ID, OPENCLAW_STATE_FILE, GOLIST_SHARE_TOKEN) are explicitly documented and used by the code; their presence is reasonable for this skill.
- Persistence & Privilege
- noteThe skill persists state to a file under the user's home directory and generates a persistent device UUID (written to the same state file). always:false (not force-included). The ability to persist state and to run autonomously is expected for a CLI wrapper but is something to be aware of.