Skillv1.5.5

ClawScan security

Coder Workspaces · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:09 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with managing Coder workspaces via the official coder CLI and only require the Coder URL and session token, which is proportional to its stated purpose.
Guidance: This skill appears coherent with its purpose, but take these precautions before installing: - Only provide CODER_SESSION_TOKEN that you trust: prefer a least-privilege token or dedicated service account rather than a personal admin token. - Store the token securely (OpenClaw config) and rotate/revoke it if you stop using the skill. - Verify that your Coder deployment actually enforces workspace isolation (so remote commands cannot reach your host or other sensitive resources). - Test read-only commands (e.g., coder list, coder whoami) first to confirm behavior and connectivity. - Require confirmation or limit autonomous actions in your agent policy for destructive commands (delete, restart) to avoid accidental or automated destructive changes. - Install the coder CLI only from your Coder instance or the official docs to avoid tampered binaries.

Review Dimensions

Purpose & Capability: okName/description, required binary (coder), and required env vars (CODER_URL, CODER_SESSION_TOKEN) all align with managing a Coder deployment via the official CLI. Nothing requested appears unrelated to the stated functionality.
Instruction Scope: noteSKILL.md is instruction-only and confines actions to the coder CLI (list/start/stop/ssh/tasks). This is in-scope. Note: the skill assumes the agent will run coder ssh or coder tasks commands which can execute arbitrary commands inside remote workspaces; the SKILL.md claims those commands run in isolated Coder workspaces rather than on the host — you should verify that isolation in your Coder deployment before granting broad tokens.
Install Mechanism: okNo install spec or remote downloads; instruction-only skill with links to official Coder docs. Low install risk.
Credentials: noteOnly CODER_URL and CODER_SESSION_TOKEN are required, which is appropriate. However, a session token grants actions on the Coder instance; consider using a token with limited scope, a dedicated service account, and secure storage (OpenClaw config).
Persistence & Privilege: notealways is false and there are no install scripts or persistent changes. The platform default allows autonomous invocation; combined with a session token this means the skill (when invoked by the agent) can perform actions against your Coder instance without additional prompts. Consider agent confirmation policies for destructive operations (e.g., delete).