Skillv1.0.0

ClawScan security

Ceo Delegation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:24 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with its stated goal of delegating tasks to child agents, but there are a few operational/declared-dependency mismatches and resource-abuse risks you should understand before installing.
Guidance: What to check before installing: - Dependency declaration: monitor.py runs the 'openclaw' CLI (openclaw sessions list). Ensure the openclaw binary will be available and you trust its permissions; the skill metadata does not declare this dependency. - Resource and autonomy risks: the workflow mandates spawning child agents for tasks >30s and reporting every minute. If you enable autonomous invocation, the skill could create many sub-agents and generate frequent activity (cost, rate-limit, or spam risks). Consider running it with restricted quotas, in a sandbox, or disabling autonomous invocation while you evaluate. - Data exposure: the skill uses platform session/memory APIs to read and report child-agent activity. It does not include network endpoints or credential exfiltration code, but child agents will have the platform's usual access — only install if you trust the platform-level capabilities granted to spawned agents. - Operational test: run the included monitor.py in a safe environment (or with a benign label filter) to verify behavior and to confirm the openclaw CLI output format matches expectations. What would change this assessment: - If the skill attempted to call arbitrary external endpoints, read system files, or required unrelated credentials, it would be suspicious. If the author updated metadata to declare the openclaw dependency and added configurable rate limits/quotas for spawning, confidence would increase.

Review Dimensions

Purpose & Capability: okThe skill claims to be a CEO-style delegation workflow and its SKILL.md plus included monitor script implement exactly that (spawn child agents, monitor, accept/reject, record memory). One minor inconsistency: the monitor.py calls an external CLI 'openclaw' to list sessions, but the skill metadata did not declare any required binaries. Otherwise the requested actions (sessions_spawn, sessions_list, memory_search, sessions_history) match the described purpose.
Instruction Scope: noteSKILL.md stays within the stated domain (delegation, monitoring, acceptance). It prescribes platform-specific calls (sessions_spawn, sessions_list, sessions_history, memory_search) and specific model choices, which is expected but platform-specific. Operationally it mandates spawning child agents for any >30s work and reporting every minute; that is coherent with the purpose but grants the skill broad autonomy to create many sub-agents and produce frequent reports — a potential resource/behavior concern (not a code-level red flag).
Install Mechanism: okThere is no install spec (instruction-only) which is low risk. The package includes a small helper script (scripts/monitor.py) and a package.json. The script will run a subprocess calling the 'openclaw' CLI; although no external download/extract occurs, the CLI dependency is implicit and not declared in metadata.
Credentials: okThe skill does not request environment variables, credentials, or config paths. The runtime instructions refer to platform APIs (sessions_*, memory_) but do not ask for unrelated secrets or external service keys. The included script reads only the CLI output and prints a report — it does not attempt to exfiltrate data to external endpoints.
Persistence & Privilege: notealways:false and default autonomous invocation are appropriate. However, because the workflow explicitly instructs frequent autonomous spawning and 1-minute reporting, the skill can amplify its blast radius (many child agents, frequent network/compute activity) if invoked autonomously. This is an operational risk to consider (rate limits, cost, spam), not an immediate indicator of malicious intent.