Skillv2026.3.24

ClawScan security

OpenClaw Guide Maintenance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 24, 2026, 3:00 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only maintenance guide for OpenClaw; its content and requests are broadly consistent with that purpose, but it contains many references to local credential files, tokens, and prompt-building internals (and a scanner flag for a 'system-prompt-override' pattern), so review before using in sensitive environments.
Guidance: This skill is a documentation bundle for OpenClaw and appears coherent with that purpose. Because it mentions many local credential files, token-file usage, and prompt internals, do the following before enabling it: 1) Manually scan SKILL.md (and the referenced files) for any lines that explicitly instruct an assistant to 'ignore', 'override', or 'replace' system prompts or previous instructions — these are prompt-injection indicators. 2) Never paste API keys, gateway tokens, or private credential file contents into chat; use secure secret stores or token-file references on your host instead. 3) Verify the skill origin if you plan to act on its operational commands — there is no homepage and source is unknown; prefer official docs or a trusted registry. 4) If you intend to follow its commands on a running Gateway, run them locally in a controlled environment (not by sending secrets to an agent). If you want, provide the specific sections you'd like checked in detail and I can search the text for explicit prompt-injection or exfiltration instructions.
Findings: [system-prompt-override] unexpected: The scanner found a pattern flagged as a system-prompt-override. The docs legitimately discuss 'system prompt' assembly and prompt-building internals (agent_runtime.md, thinking.md, etc.), so this may be a false positive. Still, the presence of that pattern warrants manual review to ensure there are no explicit instructions that tell an assistant to ignore prior safety/system instructions or to override platform policies.

Review Dimensions

Purpose & Capability: okName/description match the contents: this is a large, offline documentation bundle for installing, configuring, operating, and troubleshooting OpenClaw. The skill declares no binaries, no env vars, no install steps — which is appropriate for a docs-only skill.
Instruction Scope: noteThe SKILL.md and referenced files are extensive operational docs that show CLI commands (openclaw ...), config paths, and examples that reference token files and credential paths (e.g. ~/.openclaw/gateway.token, ~/.openclaw/credentials/...). The skill does not itself instruct the agent to read or exfiltrate files, but it does advise operators on how to use token files and where secrets live. The pre-scan detected a 'system-prompt-override' pattern; this appears likely to be a false-positive because the docs legitimately describe prompt assembly and 'system prompt' internals, but the presence of such phrases means you should inspect the content for any explicit prompt-injection directives (e.g., lines that tell an assistant to ignore earlier system instructions).
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is the lowest-risk install profile: nothing is downloaded or written by the skill itself.
Credentials: noteThe skill does not request environment variables or credentials, but the documentation references many sensitive config paths, token files, and environment variable examples (e.g., TELEGRAM_BOT_TOKEN, gateway tokens, browser remote CDP tokens). Those references are expected for a maintenance guide, but they increase the chance that an operator or agent using the guide will be prompted to expose secrets — treat any token-file examples as informational only and do not paste secrets into chat.
Persistence & Privilege: okalways:false and no install steps; the skill does not request persistent privileges or force-enable itself. It is user-invocable and allows model invocation (normal for skills).