Skillv1.0.5

ClawScan security

gateway-notify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 12:55 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (creating a gateway-startup hook that sends notifications); the implementation is self-contained and does not request unrelated credentials, though it invokes external messaging CLIs which you should verify are trusted and installed.
Guidance: This skill appears coherent with its purpose. Before installing: (1) inspect scripts/setup_gateway_notify.sh yourself — it creates files under ~/.openclaw/hooks and writes handler.ts; (2) ensure the messaging CLIs it will call (imsg, wacli, openclaw message) are the official/trusted binaries on your system — a malicious replacement binary with one of those names could be invoked; (3) optionally open the generated handler.ts after running the setup script to confirm the embedded address and command look correct; (4) if you are concerned about command injection, test with a dummy address and review the SAFE_ADDRESS escaping in the setup script. No extra credentials are requested by this skill.

Review Dimensions

Purpose & Capability: okName and description (notify on gateway startup) align with the files and script. The setup script only creates a hook under ~/.openclaw/hooks/gateway-restart-notify, generates HOOK.md and handler.ts, enables the hook, and asks the user to restart the gateway. No unrelated cloud credentials or global config paths are requested.
Instruction Scope: noteSKILL.md and setup script stay within the described scope: they write to the skill's hook directory, enable the hook, and the handler only collects timestamp and a hardcoded port. The handler executes external CLI commands (imsg, wacli, openclaw message) to send notifications — this is expected for a notification skill but means the skill will invoke local binaries. The script performs input validation and attempts to escape single quotes before embedding the address into handler.ts.
Install Mechanism: okInstruction-only skill with no install spec; the only code written to disk is created by the provided setup script in the user's home directory. No remote downloads or archive extraction are performed by the skill itself.
Credentials: okNo environment variables, secrets, or external credentials are requested. The messaging address is provided by the user at setup. The handler does not read OpenClaw config files (project changelog/SECURITY.md explicitly documents removal of config reads).
Persistence & Privilege: okThe skill does not request always: true and does not modify other skills. It enables a hook via the OpenClaw CLI (openclaw hooks enable) which is the expected mechanism for registering event handlers.