Skillv1.0.0

ClawScan security

OpenClaw Bootstrap · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 3:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior generally matches a bootstrapper, but it performs runtime network installs (npm / clawhub) and modifies user workspace/hooks without declaring dependencies or lockable sources—review before running.
Guidance: This package is plausibly a normal bootstrapper but has a few things to check before running: 1) Inspect scripts/bootstrap.sh yourself (it will copy files to ~/.openclaw/workspace, create hooks in ~/.openclaw/hooks, and call openclaw to add crons). 2) Be aware it runs `npm i -g clawhub` and `clawhub install self-improving-agent` which will download and install third-party code from the network; verify the clawhub package and the self-improving-agent source first. 3) Backup any existing ~/.openclaw/workspace files if you have them. 4) If you want lower risk, run the script in a sandbox/VM or run it step-by-step instead of one-shot, and avoid running global npm installs as root. 5) Expect the resulting system to perform scheduled/automated actions (crons/hooks); review and disable any you do not want. If you need more assurance, ask the publisher for source/homepage or a signed release/lockfile for the CLI and the 'self-improving-agent'.

Review Dimensions

Purpose & Capability: noteName/description match the included files and the bootstrap script: it creates workspace files, .learnings, hooks, and schedules crons and attempts to install a 'self-improving-agent'. However the skill does not declare required CLIs (openclaw, clawhub, python3, npm) even though the script uses them. This omission is unexpected but explainable for a bootstrapper.
Instruction Scope: noteSKILL.md and assets instruct the agent to populate and read workspace files (memory, learnings, soul, user), which is consistent with a local bootstrapper. The runtime script copies files into ~/.openclaw/workspace, creates hooks under ~/.openclaw/hooks, and uses openclaw to add crons. These actions read/write local user files (intimate data) but do not themselves exfiltrate data. The instructions do, however, enable automated behavior (crons/hooks) that will run later—users should expect ongoing local activity.
Install Mechanism: concernThere is no registry-level install spec, but the included scripts run npm i -g clawhub and use clawhub to install 'self-improving-agent' at runtime. Those commands will fetch code from external registries/hosts during execution (network downloads, unpinned). This is proportional to installing a CLI but raises risk because the sources aren't pinned/verified and will execute third-party code on the machine.
Credentials: okThe skill declares no required env vars; the script respects an optional OPENCLAW_WORKSPACE environment variable. It does not request credentials itself, but installing/using clawhub and running 'clawhub install' may require the user to authenticate to remote services. No unrelated secrets are requested by the skill.
Persistence & Privilege: noteThe skill is not always-enabled and does not modify other skills' configs beyond copying a hook into ~/.openclaw/hooks. It creates persistent files under ~/.openclaw/workspace, installs a global npm CLI (clawhub) if absent, and registers crons via the openclaw CLI. These are expected for a bootstrapper but are persistent changes the user should accept consciously.