Skillv0.1.0

ClawScan security

Subagent Watchdog · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 3:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is conceptually aligned with a watchdog that waits for a marker file, but the shipped script reads user config and environment variables (and invokes python3 / an external openclaw binary) without those dependencies or envs being declared, which is an incoherence and a reliability/privacy concern.
Guidance: This skill appears to implement the advertised watchdog behavior, but review these points before installing or running it: - The script will run a short Python snippet (python3) to read ~/.openclaw/openclaw.json when you omit the wait_seconds argument. If that file is missing or malformed the script will error due to 'set -e' and the unguarded open() call. To avoid this, always call ./watch.sh <label> <wait_seconds>, or ensure the config file exists and is valid. - The script can call an external openclaw binary to send notifications if WATCHDOG_CHAT_ID (and an executable OPENCLAW_BIN) are present. If you do not want any external notifications, do not set WATCHDOG_CHAT_ID or set OPENCLAW_BIN to a non-executable path. - The registry metadata does not declare optional deps/envs: python3, OPENCLAW_CONFIG_PATH, OPENCLAW_BIN, WATCHDOG_CHAT_ID, WATCHDOG_CHANNEL, STATE_DIR. Treat these as implicit and verify they are safe/trusted in your environment before use. - The watchdog reads user config (~/.openclaw/openclaw.json). If that file contains sensitive information, be aware the skill will open it (only to read maxRuntimeSeconds in current code), and the script may fail if it's unreadable. Consider running the script in a controlled directory or with explicit wait_seconds. - If you plan to rely on the OpenClaw messaging integration, audit the openclaw binary you will point to so you trust what it transmits. The watchdog’s message text is small (label + timeout), but any external binary could behave differently. Overall: functional and small, but the missing declarations and the unguarded config read are reliability/privacy issues — fix or document these before deploying widely.

Review Dimensions

Purpose & Capability: noteThe name/description and the code match: the script waits, checks for a marker file, and exits or optionally notifies. However the script implicitly requires python3 (used to read the OpenClaw config) and may call an external openclaw binary for notifications — these binaries/envs are not declared in the registry metadata. That mismatch should have been declared as dependencies or optional settings.
Instruction Scope: concernThe SKILL.md and watch.sh direct the agent to read a config file (OPENCLAW_CONFIG_PATH or ~/.openclaw/openclaw.json) and to optionally invoke an external messaging tool (OPENCLAW_BIN) using WATCHDOG_CHAT_ID/WATCHDOG_CHANNEL. The Python code opens the config path without existence checks, so omitting wait_seconds can cause the script to fail if the file is missing. The script also spawns an external binary to send messages, which can transmit alerts outside the local environment (dependent on that binary). These behaviors reach beyond merely checking a local marker file and are not fully documented as required environment or runtime dependencies.
Install Mechanism: okInstruction-only skill with an included small shell script and contract doc; there is no install spec or remote download. This is low-risk from an install-supply-chain perspective.
Credentials: concernThe skill does not declare any required environment variables or binaries, yet the script reads and respects OPENCLAW_CONFIG_PATH, OPENCLAW_BIN, WATCHDOG_CHAT_ID, WATCHDOG_CHANNEL and optional STATE_DIR, and invokes python3. Those env vars and the python3 dependency are reasonable for optional integration, but the registry should list them (at least as optional) so users know what the skill may read or call. Reading ~/.openclaw/openclaw.json also accesses user configuration outside the skill’s own directory.
Persistence & Privilege: okThe skill does not request persistent/always-on presence and does not modify other skills or system-wide configs. Autonomous invocation is allowed by default but does not combine here with excessive privileges.