Skillv1.0.0

ClawScan security

local-config-model-recommender · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 5:46 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its stated purpose (it reads local OpenClaw configuration and recommends models), but there are inconsistencies and a minor data-access risk you should review before installing.
Guidance: This skill appears to do what it says, but before enabling it: 1) inspect your ~/.openclaw/openclaw.json to confirm it contains only model IDs/metadata and not API keys or secrets; 2) note that the skill's metadata does not declare the config path it will read — prefer skills that explicitly declare required config access; 3) if you are concerned about data exfiltration, restrict network access for the agent or run the skill in a sandbox until you've verified behavior; and 4) if you need stronger guarantees, ask the author to add the required-config-path to the metadata and to limit parsing to non-sensitive fields.

Review Dimensions

Purpose & Capability: noteThe skill's name and description align with its runtime instructions (it reads the OpenClaw config and recommends models). However, the package metadata declares no required config paths even though SKILL.md explicitly instructs the agent to parse ~/.openclaw/openclaw.json — a mismatch in declared vs. actual resource access.
Instruction Scope: noteInstructions are narrowly scoped: parse the OpenClaw config, analyze task keywords, and match model IDs. They do not instruct network exfiltration or broad system reads. One minor concern: the guidance to 'analyze user's task requirements' is vague and could allow broader context gathering unless the agent's runtime policies restrict that.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk and there is no external install risk.
Credentials: noteThe skill declares no environment variables or credentials, which is reasonable. But it reads ~/.openclaw/openclaw.json; depending on your setup that file could contain more than model IDs (e.g., endpoint URLs or API keys). The skill does not declare this config access in its metadata, so verify what is stored in that file before allowing the skill to read it.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent privileges in the metadata. Autonomous invocation is allowed by default (platform normal) and is not a standalone red flag here.