Skillv1.0.8

ClawScan security

Openclaw Self Improve · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 3:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with an approval-gated, metrics-first repository-improvement workflow; it reads and writes a target repository, can create backups, and may run git/zip/python3, which match its purpose.
Guidance: This skill is coherent with its stated purpose, but review and take these precautions before running it: 1) Run in dry-run mode first (init-improvement-run.sh --dry-run) and inspect the generated scaffold in a non-production clone of your repo. 2) Confirm the repo path you pass (it may default to /root/openclaw if you omit scope). 3) Ensure required tools are available (git, zip, python3, standard shell utils) — the bundle's SKILL.md lists them even though registry metadata didn't. 4) Be aware the scripts will read arbitrary files in the repo and can run commands you supply as validation gates; avoid pointing the skill at sensitive production repositories until you’ve tested in a safe environment. 5) If using rollback, note it runs 'git checkout .' which will reset working tree changes. 6) If you have limited trust, inspect the scripts locally (they’re included) — especially uses of eval/log_command and any places where user-supplied patterns get interpolated into shell commands.

Review Dimensions

Purpose & Capability: okThe name/description (self-improvement for OpenClaw) match the provided scripts and docs: they scaffold run artifacts, capture baselines, propose changes, create backups, detect validation gates, and export JSON. There are no unrelated credential requests or external endpoints. Note: the SKILL.md lists required binaries (bash, git, date, grep, awk, zip, python3) but the registry metadata showed 'none'; this mismatch is an operational/metadata inconsistency rather than a capability mismatch.
Instruction Scope: noteRuntime instructions and scripts legitimately read repository contents, create a run directory under <repo>/.openclaw-self-improve, optionally create zip backups of the repo, and (on rollback) call 'git checkout .' to restore state. Scripts auto-detect validation commands and write those commands into run artifacts. They do not transmit data to external endpoints. Caveats: some helper functions (log_command) use eval to execute arbitrary commands passed to them and backup-repo.sh builds a zip command string and executes it via eval; these are reasonable for a tooling script but mean the code will execute commands you pass as validation gates or other inputs. Also the SKILL.md says if scope is unspecified and /root/openclaw exists it uses that path — this default could cause the skill to operate on a system repository unexpectedly if invoked without explicit scope.
Install Mechanism: okThere is no install spec (instruction-only with included scripts); nothing is downloaded or installed from remote URLs. All code is contained in the bundle. This is low install risk.
Credentials: okThe skill requests no environment variables or credentials and writes only inside the target repo (creates .openclaw-self-improve). It does require filesystem and executable access (git, zip, python3, shell utilities) which are proportionate to a repo-improvement workflow.
Persistence & Privilege: okalways:false and user-invocable:true. The skill writes artifacts into the repository under a namespaced directory and can create backups; it does not modify other skills or system-wide settings. Rollback (git checkout) requires repository write access and is gated by explicit flags; the implementation mode requires approval before making behavior edits per the docs.