Skillv1.0.0

ClawScan security

Openclaw Uninstaller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 11:41 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only uninstall guide whose commands and scope match its stated purpose; no unexpected credentials, installs, or hidden behavior were requested, but some destructive commands and an npx suggestion warrant caution before running.
Guidance: This is a coherent uninstall guide, but follow safety precautions before running the commands: 1) Back up any data you may want to keep (workspaces, config, credentials). 2) Inspect each rm -rf and service command to ensure paths and service names match your system and profiles; running them will permanently delete files. 3) Avoid running `npx -y ...` unless you trust the package source—npx fetches and executes remote code; prefer using your already-installed openclaw CLI or install the package first and review it. 4) On multi-profile or remote hosts, repeat steps per-profile or log into the target host. 5) Do not run destructive commands as root unless you understand the implications. If anything is unclear, run the commands interactively (remove --yes/--non-interactive) so you can confirm actions.

Review Dimensions

Purpose & Capability: okThe name/description (OpenClaw uninstaller) matches the instructions: stop gateway, uninstall CLI, remove config/workspace, and remove system services. There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope: noteInstructions are focused on uninstall tasks and explicitly show destructive commands (rm -rf, service disables, removal of apps). The guide also suggests using `npx -y openclaw uninstall --all --yes --non-interactive`, which will fetch and execute code from the npm registry without confirmation — this is expected for an npm-based CLI but increases execution risk. Users should review and prefer running a locally installed CLI or inspect the package before running npx with -y/non-interactive.
Install Mechanism: okNo install spec or code files are included (instruction-only). Nothing will be written to disk by the skill itself and there are no download/install steps embedded in the skill content.
Credentials: okThe skill declares no required env vars or credentials. It references LOCAL paths and a shell variable fallback (${OPENCLAW_STATE_DIR:-$HOME/.openclaw}) that are appropriate for an uninstaller; nothing asks for unrelated secrets or system-wide credentials.
Persistence & Privilege: okThe skill does not request persistent presence (always: false) and does not modify other skills or global agent settings. Autonomous invocation is allowed by default but not a special privilege requested here.