Back to skill
Skillv0.1.9
ClawScan security
Cyber Security Engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 11:25 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested configuration are internally consistent with a local least‑privilege / monitoring workflow; nothing obvious points to hidden exfiltration or unrelated credential access, though installer and notification behavior should be reviewed before enabling.
- Guidance
- This package appears to implement what it advertises (least‑privilege wrappers, port/egress monitoring, and compliance reporting). Before installing or enabling the sudo runtime hook: 1) Audit the installer script (scripts/install-openclaw-runtime-hook.sh) and the sudo shim (scripts/guarded_privileged_exec.py and scripts/root_session_guard.py) to confirm they only modify ~/.openclaw and the OpenClaw gateway LaunchAgent as documented; 2) Inspect notify_on_violation.py to verify it does not send data to remote endpoints you don't expect (the skill allows configuring an external notifier path); 3) Restrict and review policy files (~/.openclaw/security/*.json) and set tight filesystem permissions so audit/assessment outputs are not world-readable; 4) Test in a non-production environment first (the auto-cycle will run lsof/ss/netstat and record PIDs/commands and connection targets to assessment files); and 5) If you do enable the shim, ensure you understand recovery steps (how to remove ~/.openclaw/bin/sudo and revert LaunchAgent changes) so you can restore the original sudo behavior if needed.
Review Dimensions
- Purpose & Capability
- okName/description match the included files: port/egress monitors, command policy, guarded privileged exec, assessment/dashboard generators, and a runtime hook installer. Required tools (python3, lsof/ss/netstat, optionally npm/openclaw CLI) are consistent with the declared purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to run local inspection and enforcement scripts and to optionally install a sudo shim under the user's home. The instructions reference only the declared policy files and ~/.openclaw state; they do collect local process/port/connection info (lsof/ss/netstat outputs, PIDs, commands) and write results to ~/.openclaw and the skill's assessments directory — expected for this purpose but privacy-sensitive. Review the notify_on_violation behavior before enabling notifications.
- Install Mechanism
- okThere is no remote download/install spec in the registry entry; the skill is instruction-only with bundled scripts. The provided installer modifies only the user's home (~/.openclaw) and (optionally) the OpenClaw gateway LaunchAgent on macOS. That is proportionate, but the LaunchAgent change is sensitive and is opt-in per the doc.
- Credentials
- okNo required secrets or unrelated environment variables are requested. The documented OPENCLAW_* variables are configuration toggles for the shim/monitoring behavior (approval token, session id, notifier path, etc.) and are reasonable for the stated feature set. Nothing asks for cloud/OS credentials outside the user's control.
- Persistence & Privilege
- noteThe skill does install an opt-in sudo shim into ~/.openclaw/bin and can modify the gateway LaunchAgent (macOS) when enabled; this grants the skill persistent interception of sudo within the gateway process's PATH but only if the user opts in (ENFORCE_PRIVILEGED_EXEC=1). always:true is not set. Treat the runtime hook as a privileged control that should be enabled only after inspection and testing.