Skillv1.0.0

ClawScan security

wesley dashboard builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 10:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared needs (Telegram token + chat ID) match its described features, but the runtime instructions embed high-privilege operations (scp/ssh to a hard-coded VPS, docker exec, editing docker-compose, cloudflared tunnel setup) and hard-coded host/container paths that don't obviously belong inside a general-purpose 'dashboard builder' skill — review and verify ownership of the remote host and any commands before using.
Guidance: Do not blindly run the shell/ssh/docker/cloudflared commands in the docs. Before installing or following these steps: 1) Confirm you (or your organization) own and control the VPS IP, container name, and workspace paths referenced (72.62.30.28, openclaw-yyvg-...). 2) If you do not control that host, do not scp/ssh or apply the docker-compose/systemd changes — they would deploy code to a third-party machine. 3) Treat TELEGRAM_BOT_TOKEN as a secret: use a bot with minimal scope, rotate the token if it was exposed, and avoid sending tokens to remote machines whose ownership is unclear. 4) Review any suggested CORS and pip install commands (they can open services to the web or modify container internals); prefer limiting CORS origins and use vetted package installs. 5) If you want only local dashboard generation, ignore the hard-coded deployment steps and host the generated files on infrastructure you control (local machine, your VPS, or a trusted cloud bucket). If you need a final judgment about safety for your environment, provide whether you control the referenced VPS and whether you intend the agent to run commands on your host.

Review Dimensions

Purpose & Capability: noteRequesting TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID is coherent with the skill's photo-upload and Telegram integration. However, the documentation also repeatedly references a specific VPS IP, container name, and workspace paths (72.62.30.28, openclaw-yyvg-...), which is unexpected for a generic dashboard-builder skill and suggests either embedded vendor-specific deployment steps or possibly instructions targeted at a particular remote environment.
Instruction Scope: concernSKILL.md includes operational commands that modify remote infrastructure: scp/ssh to root@72.62.30.28, docker cp/exec, editing docker-compose.yml, creating cloudflared tunnels and writing credentials under /root/.cloudflared, and adding systemd/autostart scripts. Those instructions go well beyond generating HTML/CSS/JS and require high privileges on a host; they could be dangerous if you do not control the referenced VPS. The skill also instructs enabling permissive CORS (CORS(app, origins=['*'])) and installing packages with --break-system-packages — both high-impact ops that should be reviewed.
Install Mechanism: okNo install spec and no code files are present — the skill is instruction-only, which minimizes direct supply-chain risk (nothing is auto-downloaded or written by an installer). The security surface is therefore the instructions themselves rather than any bundled executable code.
Credentials: noteThe only required environment variables are TELEGRAM_BOT_TOKEN (primary) and TELEGRAM_CHAT_ID, which are proportionate to the stated Telegram upload/display functionality. Reminder: Telegram bot tokens grant broad control over the bot and should be treated as sensitive secrets; the skill's docs also suggest using that token to upload/receive media and to share links, which is consistent but sensitive.
Persistence & Privilege: concernWhile the skill itself is not marked always:true, its instructions explicitly direct creation of persistent services (auto-start scripts, docker-compose changes, cloudflared tunnels, and permanent credentials files under /root). That operational guidance asks the user to create persistent privileges on the target host and expose local services to the public internet — actions that carry significant security and persistence implications if performed against a host you do not own or fully control.