warn
suspicious.insecure_tls_verification
- Location
- scanner.py:586
- Finding
- HTTPS certificate verification is disabled.
Network Scanner
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.insecure_tls_verification, suspicious.obfuscated_code
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Scanning the wrong target can disrupt services, trigger security alerts, or create legal exposure.
Why it was flagged
The skill exposes broad/deep network scan options plus proxy and rate-limiting controls. This is central to a network scanner and disclosed, but it can be misused against unauthorized networks.
Skill content
Port Scanning — ... deep (1–65535) ... Rate Limiting — `--rate-delay` for stealth/stealth scanning ... Proxy Support
Recommendation
Use only on networks you own or have explicit written permission to test; set target ranges, port ranges, and concurrency deliberately.
What this means
If wired to a Discord bot without external permissions, Discord users could trigger scans or view scan reports.
Why it was flagged
The Discord wrapper turns a chat command argument into a scan target and returns scan output. Access control and channel restrictions are not implemented in this wrapper.
Skill content
cmd = ["python3", SCRIPT_PATH, target, "--format", "discord", "--depth", depth]
Recommendation
Restrict Discord access to trusted users and authorized targets, and log or review scan requests.
What this means
The Discord command may fail or may execute a different local scanner.py than the one the user reviewed.
Why it was flagged
The wrapper uses an absolute local path instead of resolving scanner.py from the installed skill directory, creating portability and provenance ambiguity.
Skill content
SCRIPT_PATH = "/home/guy/.openclaw/workspace/apps/network-scanner/scanner.py"
Recommendation
Change the wrapper to resolve scanner.py relative to its own file and verify the installed code before deployment.
What this means
Invoking the wrapper runs local scanning code and consumes network/system resources.
Why it was flagged
The wrapper spawns a local Python subprocess. It uses a no-shell argument list and timeouts, so this is expected for running the scanner, but it is still local command execution.
Skill content
result = subprocess.run(cmd, capture_output=True, text=True, timeout=180)
Recommendation
Keep the no-shell invocation, validate inputs, and deploy only where local command execution is intended.
Findings (2)
warn
suspicious.obfuscated_code
- Location
- scanner.py:418
- Finding
- Potential obfuscated payload detected.