Skillv1.0.0

ClawScan security

Pans Daily Sales Brief · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 2:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a sales-brief generator and mostly matches its description, but it invokes an external helper script via a hard-coded macOS Python path and references cross-skill search functionality — behaviors that are unexpected for a simple local brief generator and deserve review before use.
Guidance: This skill mostly does what it says (reads a local pipeline.json and generates a brief), but there are unexpected behaviors you should verify before installing or running it: - Inspect the external writer: brief.py delegates file writes to a script at '~/Library/Application Support/QClaw/openclaw/config/skills/qclaw-text-file/scripts/write_file.py' and invokes '/opt/homebrew/bin/python3.11'. Open that write_file.py (and any scripts it calls) to confirm it only writes the provided JSON into pipeline.json and does not transmit or leak data elsewhere. - Check network calls: the script mentions using SearXNG / pansxng-websearch to fetch competitor news. Review the remainder of brief.py (the truncated section) for any HTTP requests or calls to remote endpoints, and verify which SearXNG instance is used. Ensure it does not post your pipeline data to external servers. - Assess platform assumptions: the hard-coded '/opt/homebrew/bin/python3.11' path is macOS/Homebrew-specific and may fail or invoke an unexpected interpreter on other hosts. Consider editing the script to use the current Python (sys.executable) or a portable approach. - Run in a sandbox first: before giving it access to real sales data, run the script in a restricted environment (different user account or VM) and observe network traffic and filesystem changes. - Ask the author: request clarification why the script uses an external QClaw helper to write files instead of writing directly, and ask for the full source of any referenced helper scripts and the missing portion of brief.py. If you cannot inspect the referenced helper or the rest of the script, treat the skill as risky for real customer/contract data because the external invocation is a plausible exfiltration vector.

Review Dimensions

Purpose & Capability: noteName/description (daily sales brief, pipeline maintenance) matches the files provided: data file, SKILL.md, and a Python script that reads/writes pipeline.json and generates a brief. However, the script delegates file-writing to an external helper located under the user's 'Library/Application Support/QClaw/...' and invokes '/opt/homebrew/bin/python3.11' to run it. A simple local script would normally write the file directly; delegating to another script in the QClaw config is unexpected and disproportionate to the stated purpose.
Instruction Scope: concernSKILL.md only instructs running the local brief.py and references pipeline.json under ~/.qclaw/skills — consistent. The code (partial) instructs subprocess execution of another script in the user's QClaw application support path and intends to use a 'pansxng-websearch' integration / SearXNG for competitor news. Those behaviors extend scope to: (1) invoking an unrelated helper script (cross-config access), and (2) performing network searches (SearXNG) — both are outside the minimal scope of 'read local data, generate brief' and should be audited.
Install Mechanism: okNo install spec (instruction-only plus included script). Nothing is downloaded or installed by the skill itself, which reduces risk. The code does, however, call a specific Python interpreter path and an external script at runtime rather than installing dependencies — this is fragile and platform-specific but not an installation-time red flag.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate for its purpose. But the script uses absolute paths (Path.home()/Library/Application Support/... and '/opt/homebrew/bin/python3.11') and invokes another script that lives in a shared QClaw config area; calling into other skill/config code can access broader state and potentially exfiltrate data. The lack of declared env/creds does not rule out data transmissions performed by the external helper or by any websearch code in the truncated portion.
Persistence & Privilege: okFlags show always:false and user-invocable:true (normal). The skill does not request elevated platform privileges or permanent/always-on presence. It does reference a path inside the QClaw app config, but it does not modify other skills' configurations in the visible code.