Skillv1.0.1

ClawScan security

OpenClaw Safe Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 7:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its stated purpose (back up config, run checks, rollback), but there are a few incoherences and an encoded payload in publish.json that warrant caution before installing.
Guidance: This skill appears to do what it says (backup config, run checks, rollback) but take these precautions before using it: 1) Inspect the package's publish.json: decode the base64 content and confirm it matches the visible SKILL.md (to ensure nothing is hidden). 2) Fix or clarify the backup/rollback filename inconsistency (preflight backup creates openclaw.json.manual.<timestamp>.bak but rollback copies openclaw.json.bak) — otherwise rollbacks may fail. 3) Do not run any suggested wrapper scripts you haven't inspected; the package doesn't include ./scripts/openclaw-safe.sh, so either implement your own or review the script before execution. 4) Test the workflow in a safe environment (snapshot or VM) before using on production. 5) Because the skill can be invoked autonomously by an agent, only enable it for agents you trust and monitor its first runs for unexpected behavior.
Findings: [base64-block] unexpected: publish.json includes the SKILL.md content encoded as a base64-like block. Embedding files encoded in publish metadata is plausible for packaging, but base64 blocks can also be used to hide or obfuscate malicious content. The decoded SKILL.md provided is readable and matches the package purpose, but you should verify that the encoded payload decodes to the same benign instructions before trusting the package.

Review Dimensions

Purpose & Capability: okName/description, declared requirements (none), and the instructions all focus on backing up ~/.openclaw/openclaw.json, running openclaw health checks, and performing rollbacks — which is coherent with a 'safe ops' helper.
Instruction Scope: noteInstructions are narrowly scoped to local config and openclaw commands (no external endpoints). However there are two issues: (1) the preflight backup command writes files named openclaw.json.manual.<timestamp>.bak, while the rollback step copies openclaw.json.bak (different filename) — this mismatch can break rollback behavior; (2) the SKILL.md recommends a wrapper script ./scripts/openclaw-safe.sh but no script is included in the package, so users would need to supply/inspect this script themselves. Also a base64-encoded content block appears in publish.json (see scan finding).
Install Mechanism: okInstruction-only skill with no install spec and no code files to write to disk; lowest-risk install mechanism.
Credentials: okThe skill requests no environment variables or extra credentials. It does instruct reading/writing ~/.openclaw/openclaw.json which is appropriate for the stated purpose.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent presence or modify other skills. Autonomous invocation is allowed by default but not by itself a concern.