Skillv0.1.11

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 5:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's README claims background dispatch/worker/telegram scripts, but the package lacks the runtime entrypoint scripts and the installer creates wrappers that point to missing files; it also instructs reading local OpenClaw config for Telegram tokens — overall the bundle is internally inconsistent and should not be trusted without clarification.
Guidance: Do not install this package as-is. The SKILL.md promises dispatcher/worker/notify scripts but the archive only includes an installer that will create wrappers pointing to missing files — you will end up with broken commands. Also note the skill will try to read ~/.openclaw/openclaw.json for a Telegram bot token if TELEGRAM_BOT_TOKEN isn't set, which could expose unrelated OpenClaw secrets. Ask the publisher for a complete package (include scripts/codex-dev-dispatch, codex-dev-worker, telegram-notify) and for justification of reading OpenClaw config. If you must test, do so in an isolated environment (throwaway VM or container) and inspect the actual dispatcher/worker scripts before running them or setting TELEGRAM_BOT_TOKEN/global config. Avoid placing real production repos or global credentials in the default workdir until the package is validated.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a dispatcher, worker, and telegram helper (scripts/codex-dev-dispatch, scripts/codex-dev-worker, scripts/telegram-notify) and behavior to run Codex jobs. However, the package manifest only includes scripts/install-local.sh (and no dispatcher/worker/notify scripts). That means the skill as-published cannot perform the claimed capability. The install script will create wrapper symlinks to non-existent entrypoints, producing a broken installation.
Instruction Scope: concernThe instructions direct the agent/worker to optionally read TELEGRAM_BOT_TOKEN or fall back to a botToken located in CODEX_DEV_OPENCLAW_CONFIG or ~/.openclaw/openclaw.json. That asks the runtime to read a local OpenClaw config file which may contain other secrets. The SKILL.md also advises commands that restart or configure the OpenClaw gateway (systemctl restart guidance appears in references), which is out-of-band for a skill and requires privileged local actions. The instructions therefore reference files and system state beyond the skill's declared scope.
Install Mechanism: concernThere is no formal install spec in the registry (instruction-only), but the included scripts/install-local.sh will create symlinks and small wrapper scripts in a user-provided bin directory. Those wrappers point to scripts that are not included in the package, so running the installer will produce broken wrappers. While there is no network download or archive extraction here, the installer still modifies user PATH by adding wrapper scripts — doing so when core runtime files are missing is risky and confusing.
Credentials: concernThe skill declares optional environment variables (CODEX_DEV_*, TELEGRAM_BOT_TOKEN) but the runtime behavior explicitly reads local config (~/.openclaw/openclaw.json) for botToken if TELEGRAM_BOT_TOKEN is unset. Accessing another config file to obtain tokens is not declared in the registry metadata and could expose unrelated secrets. No primary credential is declared, but the instruction to read OpenClaw config increases sensitive-scope access beyond what the description justifies.
Persistence & Privilege: notealways:false and normal agent invocation are used (no elevated automatic persistence). The installer will create user-level wrapper scripts in a bin directory (default $HOME/bin) which is persistent in the user's environment — this is standard but should be done only when the package is complete. The skill does not request system-wide privileges, but SKILL.md advises service restarts in local-setup docs which are privileged operations.