Back to skill
Skillv0.1.2
ClawScan security
Fletcher Cyber Security Engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 15, 2026, 12:41 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions mostly align with a privilege-governance tool, but there are mismatches (undeclared env vars and expected system tools) and a runtime-hook installer that could modify the agent/runtime — you should review those before installing.
- Guidance
- This skill appears to implement the privilege governance features it claims (audit logging, guarded privileged exec, port/egress monitors, compliance reporting). Before installing or running it, check three things: (1) confirm whether the included install script (install-openclaw-runtime-hook.sh) will be executed automatically by the platform or only when you explicitly run it — installing a runtime hook can change global agent behavior and should be run only with full understanding and approval; (2) verify the platform will provide the expected system tools (lsof/ss/netstat) or that you are comfortable granting the skill the ability to call them, since the registry does not declare required binaries; (3) accept that the skill reads and writes files under ~/.openclaw and honors environment flags like OPENCLAW_UNTRUSTED_SOURCE and OPENCLAW_REQUIRE_SESSION_ID — these env vars are referenced but not declared in the registry, so set/inspect them explicitly. If you need higher assurance, review the full contents of install-openclaw-runtime-hook.sh and root_session_guard/guarded_privileged_exec.py to ensure they do not modify other skills' configs or attempt network callbacks. If any of those checks fail or are unclear, treat the package cautiously or run it in an isolated environment first.
Review Dimensions
- Purpose & Capability
- noteThe name/description (privilege governance, port/egress monitoring, ISO/NIST reporting) matches the included scripts (port_monitor, egress_monitor, guarded_privileged_exec, audit_logger, dashboard, etc.). However, the SKILL metadata declares no required binaries while scripts call system utilities (lsof/ss/netstat); likewise SKILL files and agents/openai.yaml reference OPENCLAW_* environment flags and policy files under ~/.openclaw, but the registry lists no required env vars. These are plausible design choices but the mismatch between declared requirements and actual code is noteworthy.
- Instruction Scope
- concernSKILL.md instructs the agent to use bundled scripts and to enforce approval-first elevation and to write logs to ~/.openclaw/security/privileged-audit.jsonl — that is consistent. But the SKILL.md and agent prompt reference environment variables (OPENCLAW_UNTRUSTED_SOURCE, OPENCLAW_REQUIRE_SESSION_ID and generic OPENCLAW_*), and the code reads/writes files in the user's home (~/.openclaw) and may install runtime hooks. The skill directs the agent to run system commands (lsof/ss/netstat) and to potentially alter runtime behavior via an 'install-openclaw-runtime-hook.sh' script. The instructions do not declare or limit when the installer should run; any automatic or poorly gated invocation of the installer would be high-impact. The guidance to never elevate without explicit approval is present in SKILL.md, but you should verify how/when the install scripts are executed in practice.
- Install Mechanism
- noteThere is no formal install spec in the registry (no package downloads). All code is bundled in the skill. That lowers supply-chain risk compared to external downloads. However, the package includes a script named install-openclaw-runtime-hook.sh which (when run) will likely alter runtime configuration. Because there is no declared install step, it's unclear whether that script is run automatically by the platform or left to a manual operator — clarify that before proceeding.
- Credentials
- concernThe skill does not request secrets or credentials, which is appropriate. But SKILL.md and agents/openai.yaml reference OPENCLAW_* environment variables (OPENCLAW_UNTRUSTED_SOURCE, OPENCLAW_REQUIRE_SESSION_ID and others) and rely on policy/config files under ~/.openclaw/security. Those env vars are not declared in requires.env; the mismatch is a governance/visibility issue. The code also expects system utilities (lsof/ss/netstat) but the registry lists no required binaries. While no credentials are requested, the skill will read and write files in the user's home directory and may inspect active network connections — this is proportional to the stated purpose but you should be aware and accept those file/host-level accesses explicitly.
- Persistence & Privilege
- noteThe skill is not always: true and does not declare autonomous-only privileges beyond normal agent invocation. That is good. However, it includes an install script which appears intended to install a runtime privileged-execution hook. Installing such a hook would increase the skill's persistence/impact by changing runtime behavior for future commands. The SKILL.md emphasizes requiring explicit user approval for elevation, but you should confirm whether the hook-install action itself requires explicit manual approval and whether it modifies global agent/runtime configuration or just the skill's own config files.