Back to skill
Skillv1.0.0
ClawScan security
OpenClaw Daily · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 5:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions and constraints line up with its stated purpose: it only describes collecting fields, confirming with the user, and calling three explicit OpenClaw API routes (submit, latest-live, review-result).
- Guidance
- This skill appears coherent and focused: it will prepare submissions and only POST to https://sidaily.org after you explicitly confirm. Before installing, ensure you understand that confirmed submissions will be sent to that external service and that the agent has network access. If you want to avoid accidental posts to other hosts, prefer using the explicit production URL rather than relying on the relative-path behavior that inherits the current origin. Also verify the sidaily.org endpoint is the legitimate destination for your organization and that content policies (privacy/sensitive data) are acceptable before submitting. If you need higher assurance, test behavior in a sandboxed agent environment or with a mock endpoint first.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: collecting submission fields, showing a draft, requiring explicit confirmation, and calling the documented POST/GET routes on sidaily.org. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteInstructions are narrowly scoped to field collection, validation, confirmation, and calling the listed API endpoints. One minor note: when no domain is specified the doc says to use a relative path that inherits the current origin — in contexts where the agent is embedded in a different origin that could cause requests to go somewhere other than sidaily.org; the doc also provides the explicit production URL (https://sidaily.org) which avoids that ambiguity.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files, so nothing is written to disk and no external packages are pulled in.
- Credentials
- okNo environment variables, credentials, or config paths are required; requested capabilities are proportional to the stated API-integration purpose.
- Persistence & Privilege
- okSkill does not request permanent/always-on presence (always:false) and does not ask to modify other skills or system settings. Autonomous invocation is allowed by platform default and is not by itself a concern here.