Skillv1.0.3

ClawScan security

Operation Quarantine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 9:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is generally consistent with a local quarantine/inspection service, but there are multiple small mismatches and opt‑in features (webhooks, LLM, external alerting) plus undeclared binaries/vars that warrant careful review before installing.
Guidance: This package is plausibly what it claims (a local quarantine service) but review before installing: 1) Run it in an isolated environment and inspect service/.env.example; keep ENABLE_WEBHOOKS off unless you explicitly want outbound alerts. 2) If you enable LLM analysis, provide a trusted provider and API key and be aware analysis data is sent to that provider. 3) Confirm whether you want OpenClaw alerts; if so, ensure the /usr/bin/openclaw CLI exists and is trusted (not declared as required in metadata). 4) Fix or verify mismatches: ClawHub domain (clawhub.com vs clawhub.ai), env var names (QUARANTINE_LLM_BASE_URL vs QUARANTINE_LLM_PROVIDER), and undocumented telegram/webhook variables. 5) Run the included test suite (node test-quarantine.js) and vet package.json dependencies (npm audit). If you do not want any possibility of external egress, do not enable ENABLE_WEBHOOKS or LLM features and bind to localhost only.
Findings: [pre-scan-prompt-injection-keywords] expected: The SKILL.md and signatures purposely contain injection keywords (e.g., 'ignore previous instructions', 'system prompt') because they are used as detection signatures. These strings will trigger prompt-injection detectors but are benign in this defensive context. [undeclared-binary-openclaw] unexpected: alerts.js execs /usr/bin/openclaw to send messages in 'openclaw' mode, but 'openclaw' is not declared as a required binary in the skill metadata. If you intend to use OpenClaw channel alerts, ensure the CLI exists and is trusted. [env-var-name-mismatches] unexpected: There are inconsistent environment variable names between SKILL.md and code (e.g., SKILL.md mentions QUARANTINE_LLM_PROVIDER while llm.js looks for QUARANTINE_LLM_BASE_URL; code also references Telegram/env vars not listed in metadata). This is likely sloppy but could cause misconfiguration. [external-fetch-domain-variance] unexpected: skill-scan.sh attempts to fetch skills from 'https://clawhub.com/skills/$SKILL_NAME' (and /api/skills/), while metadata/homepage points at clawhub.ai. Verify intended source domain — a typo could cause fetching from an unexpected host.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md match the stated purpose: a local pattern+optional‑LLM quarantine service for emails and skill manifests. The service requires node and uses local HTTP endpoints as described. However there are small inconsistencies: the registry install spec only names 'fastify' while package.json depends on dotenv and html-to-text as well (SKILL.md instructs running npm install which will install them). The alerts feature calls /usr/bin/openclaw but 'openclaw' is not declared as a required binary in metadata.
Instruction Scope: noteRuntime instructions require routing raw email/skill content to the local service and refusing to process content if the service is unreachable (fail‑closed). That is consistent with a quarantine tool. The scripts will fetch skill content from the network if no file is provided (skill-scan.sh uses curl to fetch ClawHub pages). The SKILL.md and signature files contain many injection keywords (expected for a detection tool) — these triggered pre-scan injection signals but are part of the signatures database.
Install Mechanism: noteInstall is standard Node/npm (package.json and package-lock.json present). No arbitrary URL downloads or archive extraction are used. Slight inconsistency: the registry 'install' entry lists only a 'fastify' node package id, but the project relies on other npm dependencies (dotenv, html-to-text). The recommended quickstart runs npm install locally (expected).
Credentials: concernMost environment variables are optional and justified (port, bind host, thresholds, optional LLM provider and API key). However: enabling alerts->custom requires ENABLE_WEBHOOKS=1 and a webhook URL, which would permit external egress of flagged content (this is an explicit opt‑in but high‑sensitivity). The code also references environment variables and tokens that are not listed in metadata (e.g., QUARANTINE_CUSTOM_TELEGRAM_TOKEN / QUARANTINE_CUSTOM_TELEGRAM_CHAT, QUARANTINE_LLM_BASE_URL vs SKILL.md's QUARANTINE_LLM_PROVIDER). The openclaw CLI is invoked when ALERT_MODE=openclaw but it is not declared in required binaries. These mismatches increase the chance of accidental misconfiguration or unexpected egress.
Persistence & Privilege: okThe skill is not marked always:true and does not request permanent platform-level privileges. Autonomous invocation (disable-model-invocation=false) is the platform default; combined with this skill's ability to inspect content it increases reach but is expected for a quarantine tool. The service binds to 127.0.0.1 by default, reducing unintended network exposure.