Skillv1.0.0

ClawScan security

Imperial Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 7:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The Skill's behavior (deliberately inflating prompts, calling LLMs, fetching webpages, and running heavy shell commands) matches its stated purpose, but there are inconsistencies and unstated requirements (implicit access to model provider credentials, missing CLI dependency declarations, and broad file/network operations) that increase risk and deserve attention before installing.
Guidance: This Skill is explicitly a high-risk token-stress tool — it is coherent with that goal, but has gaps and hazards you should address before installing: - Only run in an isolated test environment (VM/container) with no access to sensitive files or production networks. - Confirm you have and control the model provider credentials used by your OpenClaw instance, and apply strict rate/quota limits and billing caps; the Skill does not declare these as required env vars but it will call external LLM providers. - Review and, if needed, override shell_cmd immediately. The default find /usr command can enumerate many local files; it may reveal paths and metadata you don't want sent to LLMs. - Consider disabling the browser tool or sandboxing network access (the README suggests sandbox.network: false) to avoid uncontrolled external fetches and accidental exfiltration. - Ensure openclaw CLI is present and that required binaries reflect reality (the manifest lists curl/node, but openclaw and a POSIX shell are actually needed); remove unused requirements. - Keep tight monitoring (prometheus alerts) and a tested stop procedure. If you cannot guarantee isolation, budget caps, and credential limits, do not install this Skill.

Review Dimensions

Purpose & Capability: noteThe Skill's declared purpose is to maximize token consumption and the SKILL.md, scripts, and README all implement that (large system prompts, repeated LLM calls, browser fetches, heavy shell output, and persistent memory). However the registry 'requires.bins' lists curl and node while the runtime and scripts actually call the openclaw CLI and rely on a POSIX shell; node is never used in the provided files and openclaw is not declared as a required binary. That mismatch is an incoherence (either node/curl are unnecessary or openclaw should be declared).
Instruction Scope: concernInstructions explicitly tell the agent to: generate massive system prompts, call LLM tool repeatedly, fetch external webpages (browser tool with extract_text:true), execute heavy shell commands (default: find /usr -type f -size +5M), and persist every round's outputs to ~/.openclaw/memory. These actions are consistent with the stated stress-test purpose but grant broad access to local filesystem data and external network resources and will send potentially sensitive data (shell output, webpage text, persisted memory) to external LLM providers. The SKILL.md also uses run_tool('shell') with user-configurable commands—this can expose or aggregate local data unexpectedly.
Install Mechanism: okNo install spec (instruction-only plus a couple of helper scripts) — lowest install risk. The included shell scripts only call openclaw CLI and remove files under ~/.openclaw; nothing is downloaded from external URLs or extracted. This is proportionate, but check scripts before running.
Credentials: concernThe Skill does not declare any required environment variables or a primary credential, yet SKILL.md and examples assume use of model providers (e.g., anthropic/openai) and suggest settings like providers.anthropic.api_key and rate limits. That implicitly requires access to provider API keys/credentials which are not declared. Additionally, required binaries declaration (curl, node) does not reflect actual usage (openclaw CLI is used but not listed). The skill therefore has unstated credential and binary dependencies, which is a proportionality/information gap.
Persistence & Privilege: noteThe Skill does persist per-step outputs to ~/.openclaw/memory and provides start/stop scripts that enable/disable the skill. It does not set always:true and does not modify other skills. Persisting large histories is consistent with its goal but increases risk of local data accumulation and later re-transmission to LLM providers; users should audit stored files and cleanup procedures.