Back to skill
Skillv1.0.0
ClawScan security
OpenClaw Task Experience Summaries · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 3:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only troubleshooting/documentation skill whose requests and instructions match its stated purpose; it does not ask for credentials or install code itself.
- Guidance
- This skill is a documentation/troubleshooting guide and appears internally consistent. It won't install or run code by itself, but it recommends commands (e.g., npm install -g clawhub) and mentions API keys. Before following any commands: verify the package and registry (don't install unknown global npm packages as root), confirm the provenance of tools like 'clawhub' and 'tavily' (check official sites or GitHub repos), and never paste secret keys into untrusted pages or tools. Note that the skill's source/homepage is missing — if you want stronger assurance, ask the publisher for a repository or official homepage to verify origins before using their recommended binaries or registries.
Review Dimensions
- Purpose & Capability
- okThe name/description (task experience summaries and troubleshooting) align with the SKILL.md content. The file contains guidance on installation, common errors, configuration, and documentation templates — all consistent with the stated purpose.
- Instruction Scope
- okInstructions are documentation-style: example shell commands, environment-variable patterns, and troubleshooting steps. They do not instruct the agent to read unrelated system files or exfiltrate data. The SKILL.md does reference setting/checking API keys (TAVILY_API_KEY, OPENAI_API_KEY) but only as examples relevant to configuration troubleshooting.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only. Nothing will be written to disk by the skill itself. The SKILL.md mentions npm install commands as examples a user might run; that is expected for this documentation role.
- Credentials
- noteThe skill does not declare any required env vars, but the documentation mentions common API keys (TAVILY_API_KEY, OPENAI_API_KEY) as examples. This is proportionate for troubleshooting docs, but users must avoid pasting secrets into untrusted places when following instructions. No unexpected or unrelated credentials are requested by the skill itself.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence, nor does it modify other skills or system-wide settings. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.