clawscan

What to consider before installing: - This skill will compute SHA-256 of your installed skill files and gather local listener metadata, then send those minimal records plus an anonymous client UUID to https://clawscan.autosec.dev for server-side matching. That behavior is consistent with a remote hash-matching scanner, but be sure you are comfortable sending that metadata off-host. - Metadata mismatches: the SKILL.md and scripts require python3 and optionally ss/lsof and persist files under ~/.openclaw/clawscan, but the registry entry did not declare these requirements or config paths. Ask the publisher to correct the manifest to list required binaries and the persisted paths. - Scheduled scans: scheduled-scan persists schedule.json and runs silently unless a finding occurs. If you prefer visibility, do not enable scheduled scans or require an explicit prompt/consent before each upload. - Authentication & endpoint: the API contract says auth is unspecified. Confirm whether the public endpoint requires an operator-provided token or whether you can self-host the ClawScan service (and obtain policies/privacy statement) before sending data. - Quick mitigations: run the helper scripts locally to inspect outputs (python scripts/collect_skill_hashes.py and python scripts/list_listeners.py) before any network call; if you must use remote matching, prefer a self-hosted endpoint or insist on explicit, documented auth and a privacy policy. - What would change this assessment: if the registry metadata is updated to declare required binaries and config paths, if the publisher documents the auth scheme and privacy policy for the endpoint, and if scheduled scans require explicit user opt-in with visible reporting, the skill would likely be considered benign/coherent.