Skillv1.5.0

ClawScan security

Vault-0: Agent Security, Monitor & x402 Wallet for OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 12, 2026, 6:52 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements are internally consistent with a macOS security/monitoring app that installs from a GitHub DMG and reads the OpenClaw .env file; the main residual risks are an unsigned DMG, lack of shipped source in the package (instruction-only), and the app's access to local secrets/Keychain which the user should verify before installing.
Guidance: This instruction-only skill is coherent with its stated goal (a macOS vault/monitor that reads OpenClaw configs and uses Keychain). Before installing: 1) Manually verify the SHA-256 shown by shasum against the release page before mounting the DMG. 2) Prefer building from source (git clone && npm install && npm run tauri build) if you or someone you trust can audit the code — the DMG is unsigned/notarized per the instructions. 3) Be aware the app will be persistent (installed to /Applications) and will access your OpenClaw files and macOS Keychain (wallet private keys are claimed to remain in Keychain). 4) Do not skip the gatekeeper prompt without understanding the risk. 5) If you cannot or will not audit the release, decline installation or use the build-from-source path. 6) After hardening, verify the expected changes (first line of ~/.openclaw/.env and Vault-0 dashboard) and keep a backup of any wallet mnemonic using a method you trust. If any step is unclear or you cannot confirm the GitHub release integrity, treat the binary as untrusted.

Review Dimensions

Purpose & Capability: okName/description (agent security, local vault, monitor, optional wallet) align with the instructions: download and install a macOS app, run it to harden OpenClaw and monitor the gateway, and verify ~/.openclaw/.env. Declared configPaths (~/.openclaw/.env, openclaw.json) and the shown single-line check are consistent with the described hardening behavior.
Instruction Scope: noteSKILL.md tells the agent to fetch a DMG from the project's GitHub releases, verify SHA-256 manually, mount the DMG, copy the .app into /Applications, and run a single-line head of ~/.openclaw/.env to confirm hardening. These steps are scoped to installation and a minimal verification of the OpenClaw env file. The instructions do read a user config file (head -1 ~/.openclaw/.env) which is appropriate for the stated purpose, but the skill gives broad discretion to prompt the user and to open the app which will then access Keychain and the OpenClaw gateway locally.
Install Mechanism: noteNo install scripts are bundled; instructions download a DMG from GitHub releases (standard distribution method). This is reasonable, but the DMG is not Apple-notarized per the SKILL.md, so Gatekeeper prompts are expected and the user is asked to manually verify the SHA-256. Because the delivered artifact is a binary (DMG) and not source, the user must trust the release or build from source. Use of GitHub releases is normal and not inherently red-flagged.
Credentials: okThe skill does not request environment variables or external credentials in the registry metadata. It does reference and read the OpenClaw config path (~/.openclaw/.env) during hardening and documents use of macOS Keychain for the optional wallet — both are proportional to a vault/wallet app. No unrelated credentials or broad env access are requested.
Persistence & Privilege: noteThe skill instructs installing a persistent macOS app into /Applications which is expected for this functionality. always:true is not set. The app will run locally and listen on localhost for agent monitoring/proxying — that persistence and localhost access are coherent with the stated purpose but increase blast radius if the binary is malicious, so verification is important.