Back to skill
Skillv0.1.0
ClawScan security
OpenClaw Capture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 30, 2026, 6:23 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely matches its stated purpose (wrapping a local capture workflow and fanout to Telegram/Feishu), but there are mismatches between declared requirements and the runtime instructions, and it will read local repo config/.env and execute configurable local commands and network requests — all of which need explicit user review before use.
- Guidance
- What to check before installing/using: - Metadata mismatch: the registry lists no required env vars, but SKILL.md and the code use many sensitive env vars (model API key, Telegram bot token, Feishu webhook, legacy project path). Treat that as a red flag until registry metadata is corrected. - Secrets and local files: the skill will try to read a legacy project's config.json and .env if present. Do not point OPENCLAW_CAPTURE_LEGACY_PROJECT_ROOT at a repo that contains secrets you don't want read or forwarded. - Network endpoints and exfiltration risk: the skill sends captured content to model APIs and to Telegram/Feishu. Verify OPENCLAW_CAPTURE_MODEL_API_BASE_URL and OPENCLAW_CAPTURE_BACKEND_URL are trusted — attacker-controlled endpoints could receive your data and API keys. - Local command execution: if you set OPENCLAW_CAPTURE_LOCAL_STT_COMMAND, the skill will run that command; only set it to a trusted CLI. The code uses shlex.split (not a shell), which reduces but does not eliminate risk of misuse if templates are untrusted. - Run in isolation first: test in a controlled environment (throwaway VM or container), with no sensitive legacy repo and with dummy tokens, to observe behavior and network calls. - If you plan to use it with your real openclaw_capture_workflow checkout, review the legacy repo's scripts (video_audio_asr, video_keyframes_extract, etc.) since this wrapper will call them. If you want to proceed: update the registry metadata to list the required env vars explicitly, ensure all endpoints and tokens are trusted, and avoid pointing the skill at repositories containing other credentials.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (a wrapper for a local openclaw_capture_workflow) match the code and instructions: it normalizes payloads, calls a local runtime or a backend HTTP API, and fans out results to Telegram/Feishu. Environment variables and tokens it requests (model API key, Telegram bot token, Feishu webhook, backend URL, STT command) are relevant to that purpose. However, the registry metadata lists no required env vars or config paths while SKILL.md (and the code) requires many environment variables and may read a legacy project's config and .env; this metadata mismatch is inconsistent and worth flagging.
- Instruction Scope
- concernSKILL.md instructs running the bundled dispatch_capture.py which imports and may run code from a local openclaw_capture_workflow checkout. The runtime will: read legacy config.json and .env if present, write state under the skill's state_dir, call local legacy scripts, POST to external APIs (model endpoints, Telegram, Feishu), and may run a user-configured local STT CLI command. These actions are within the declared purpose but expand scope to filesystem access and network exfiltration of captured content and potentially secrets from the legacy repo (.env/config). The instructions also permit overriding model API base URL, allowing requests to arbitrary external endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only behavior) and no downloads — code files are packaged with the skill. That yields no hidden remote install step; the runtime is executed locally from the provided scripts.
- Credentials
- concernEnv vars requested by SKILL.md and used in code (OPENCLAW_CAPTURE_MODEL_API_KEY, OPENCLAW_CAPTURE_TELEGRAM_BOT_TOKEN, OPENCLAW_CAPTURE_FEISHU_WEBHOOK, OPENCLAW_CAPTURE_LEGACY_PROJECT_ROOT, OPENCLAW_CAPTURE_LOCAL_STT_COMMAND, etc.) are relevant to the skill’s capabilities. However: (1) the registry metadata claims no required env vars — an inconsistency; (2) some of these are sensitive credentials (model API key, Telegram bot token) and the code will send data and may pass those keys to legacy scripts or to configured API base URLs; (3) OPENCLAW_CAPTURE_MODEL_API_BASE_URL and other overrides allow directing traffic (including keys) to arbitrary hosts if misconfigured, increasing risk.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills. It writes state into a state_dir (by default inside the skill folder) and may read files from a local legacy project path — behavior expected for a local wrapper. No elevated platform-wide privileges are requested.