Skillv1.0.1

ClawScan security

create-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 7:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and behavior are mostly aligned, but it omits declaring required local tooling (openclaw CLI, node/npx) and asks the operator to install/execute additional packages and provide many channel credentials — gaps that are coherent but unexplained and worth confirming before use.
Guidance: Before installing or running this skill, confirm the following: - Required tooling: ensure you have the openclaw CLI and Node (with npx) installed. The skill's instructions call openclaw and npx but the package metadata does not declare these dependencies. - Sensitive credentials: the flow will ask you to provide channel credentials (bot tokens, app secrets, service-account JSON, etc.). Only provide secrets you trust to be stored/used by your local OpenClaw instance; verify how OpenClaw persists and protects those credentials. - Network installs: the skill instructs using 'npx playbooks add skill ...' which will fetch code from the network. Review the source and contents of the skills being installed (self-improving-agent, capability-evolver) before approving them. - Workspace writes and overwrites: the bundled script will create and may overwrite files under the workspace path (default $HOME/.openclaw/workspace-<id>); back up any existing data and note the script will prompt before destructive actions. - Self-evolution implications: capability-evolver and self-improving-agent are intended to read/write memory and .learnings and can propose automated changes. The configuration here sets review mode, but you should verify that automatic application of changes is disabled and that you have an audit/rollback plan (e.g., initialize git as recommended). If any of the above points are unacceptable or unclear, ask the publisher for clarification (declare required binaries, where credentials are stored, and exact sources for npx-installed skills) before proceeding.

Review Dimensions

Purpose & Capability: concernThe SKILL.md instructs the agent/operator to run many openclaw CLI commands (openclaw agents list/add/set-identity/channels, openclaw plugin add, openclaw channels login, openclaw message) and to use npx to install other skills. The registry metadata declares no required binaries or primary credentials. This is a mismatch: the skill will not work without the openclaw CLI and node/npx being available, but those are not declared. While these tools are reasonable for an 'create agent' skill, the omission is an incoherence that could confuse less technical users.
Instruction Scope: noteThe instructions are largely scoped to agent creation: collect answers, generate workspace files, register the agent with the openclaw CLI, and optionally bind channels. The flow intentionally asks for channel tokens/credentials from the user and to record them for openclaw channel setup. This is expected for channel binding, but it means the skill will prompt the user to provide many sensitive secrets (Bot tokens, app secrets, service-account JSON paths). The skill also instructs installing two skills (self-improving-agent and capability-evolver) that will read/write memory/.learnings — again consistent with the stated goal but raising data-handling implications.
Install Mechanism: concernThere is no install spec in the package (instruction-only), and the shipped script only writes workspace files (no network downloads). However the runtime instructions tell the user/agent to run 'npx playbooks add skill openclaw/skills --skill ...' which will fetch packages from the network via npm. The skill does not declare or validate the presence of node/npx, nor does it declare any trusted source for those playbooks. Network installs invoked at runtime are higher risk and should be made explicit.
Credentials: noteThe registry declares no required environment variables, and the package itself does not embed secrets. That said, the workflow collects and uses many external credentials (channel tokens, app secrets, service-account JSON paths) from the user and feeds them into 'openclaw channels add' or plugin commands. Those credentials are expected for the described functionality, but the skill does not provide guidance about secure storage/rotation or where those secrets will be persisted by the openclaw installation — users should confirm how their OpenClaw instance stores channel credentials.
Persistence & Privilege: okThe skill does not request elevated platform privileges, and 'always' is false. The generate-workspace.sh writes files into a workspace path (default under $HOME/.openclaw), creates .env and asset files, and may overwrite existing workspaces (it prompts). It also instructs installing additional skills that will read/write memory/.learnings; those components are designed to operate within the workspace and are configured to run in review mode. This is functionally expected for an agent-creation skill.