Back to skill
Skillv2.1.10
ClawScan security
POWPOW Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 11:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and requirements are coherent for a WebSocket-based POWPOW chat integration; nothing in the bundle suggests hidden data exfiltration or unrelated privileges, though there are a few minor documentation/metadata mismatches to verify before use.
- Guidance
- This skill appears to do exactly what it claims — connect your OpenClaw agent to POWPOW via WebSocket and relay chat/media. Before installing, consider: 1) Network/privacy: all messages and the agent/user IDs are sent to wss://global.powpow.online — only install if you trust that service and are comfortable that chat content may be stored/processed by POWPOW. 2) Documentation gap: the code requires an openclawUserId in its config (validated on construction); verify how your OpenClaw runtime supplies that value (usually from agent context) to avoid runtime errors. 3) Source provenance: registry metadata showed 'source: unknown' even though package.json references a GitHub repo and homepage; if provenance matters, review the repository and confirm the maintainer. 4) If you rely on sensitive data, avoid sending secrets through this skill. Otherwise, the implementation and instructions look proportionate and consistent with its purpose.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included source all consistently implement a WebSocket-based chat integration to wss://global.powpow.online:8080. The dependency (ws) is appropriate. No unrelated cloud credentials, binaries, or config paths are requested. One minor mismatch: the runtime code requires an openclawUserId in the PowPowSkill config (validated in constructor) but the SKILL.md examples do not show providing it explicitly; likely the platform supplies it via the OpenClaw context, but documentation could be clearer.
- Instruction Scope
- okSKILL.md instructs only WebSocket connect/listen/send/disconnect flows and configuration for wsUrl/autoReconnect. It does not instruct reading arbitrary files, environment variables, or sending data to endpoints outside of the declared POWPOW URL. The commands and config described match the code's behavior.
- Install Mechanism
- okNo install spec is present (instruction-only install), and the package includes source/dist files and a single well-known npm dependency (ws). Nothing is downloaded from arbitrary URLs or executed during install beyond typical package code.
- Credentials
- okThe skill declares no required environment variables or credentials and requests no system config paths. The only sensitive network interaction is sending chat content to the POWPOW WebSocket server, which is expected for this skill. Confirm you trust the remote POWPOW endpoint since user messages and metadata (digitalHumanId, userId) are sent to it.
- Persistence & Privilege
- okalways is false (no forced global inclusion). The skill contains its own files but does not request persistent elevated privileges or modify other skills' configs. It keeps message queueing in memory and logs to console; it does not write files or store tokens on disk according to the included source.