Skillv0.1.0

ClawScan security

Proactive Claw Integrations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 9:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The bundle mostly does what it says (GitHub/Notion enrichment, team calendar, and an optional remote OAuth helper) but there are several mismatches and opt‑in network behaviors you should review before installing.
Guidance: What to check before installing: - Confirm you have the proactive-claw core skill installed and that it provides the referenced daemon.py; the installer writes launchd/systemd user jobs that will run periodically. - Understand opt-in network behavior: Notion enrichment will use NOTION_API_KEY (read-only search) if you set that env var; GitHub enrichment uses your gh CLI auth via subprocess calls. These integrations are optional but will make outbound requests when enabled. - The optional setup_clawhub_oauth.sh will fetch credentials.json from https://clawhub.ai if you opt in. This helper enforces a SHA-256 pin and a config flag before saving credentials, which is good, but only enable it if you trust clawhub.ai. Verify the expected SHA-256 pin before allowing remote fetch. - Review file writes under ~/.openclaw/workspace/skills/proactive-claw (DB, pending_nudges.json, credentials.json). Ensure you are comfortable with a user-level daemon having access to those files. - If you do not need a particular integration (Notion, GitHub, team calendar, remote OAuth provisioning), do not enable it. The code claims opt-in behavior; follow that advice and only enable needed features. - If anything is unclear (where daemon.py comes from, whether gh is required), ask the skill author or inspect the proactive-claw core skill before proceeding.

Review Dimensions

Purpose & Capability: noteThe skill's files and SKILL.md align with the described purpose (cross-skill GitHub/Notion enrichment, team calendar syncing, and a daemon installer). However some capabilities used by the scripts are not fully declared in the registry metadata: the cross-skill script uses the gh CLI and an optional NOTION_API_KEY env var, and the optional OAuth helper contacts clawhub.ai to fetch credentials.json. The skill does declare a dependency on the proactive-claw core skill, which plausibly supplies missing pieces (e.g., daemon.py), but the registry metadata did not list the optional network/credential requirements explicitly.
Instruction Scope: concernRuntime instructions and scripts perform local reads/writes under ~/.openclaw/workspace/skills/proactive-claw (DB, pending_nudges.json, credentials.json) and make optional outbound network calls: gh CLI subprocess calls, Notion API POSTs when NOTION_API_KEY is set, and an explicit opt‑in fetch from https://clawhub.ai. The cross_skill.py presence check probes other SKILL.md files (presence-only). Installing the daemon will write launchd / systemd user units and schedule periodic runs. These actions are within the described purpose but expand the trust surface (scheduled execution + external network calls).
Install Mechanism: okThere is no automatic install spec; this is an instruction/code bundle. The only network download path is the optional setup_clawhub_oauth.sh helper which explicitly contacts clawhub.ai and enforces a SHA-256 pin and an opt-in flag; that mitigates some risk. The daemon installer writes user-level service/timer units (launchd/systemd user) but does not pull arbitrary code from unknown URLs.
Credentials: concernThe registry lists only python3 (and proactive-claw core) as required. In practice: cross_skill.py will call the gh CLI (requires gh installed+authenticated) and will read NOTION_API_KEY from the environment if present; team_awareness relies on calendar backend credentials (credentials.json / token) and the optional script will use clawhub_token from the skill's config.json. NOTION_API_KEY and the gh CLI are not declared as required env/binaries in the metadata, which is an omission that affects the principle of least privilege and transparency.
Persistence & Privilege: notealways:false and model invocation allowed are fine. The provided installer can create and enable a recurring user-level background job (launchd or systemd user timer) that will run every ~15 minutes; that is powerful and persistent but is an expected capability for a 'daemon installer' feature. The installer references scripts/daemon.py which is not present in this bundle — likely provided by the proactive-claw core skill, but you should confirm before enabling the daemon.