Skillv1.0.7

ClawScan security

Openclaw Guardian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 3:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package largely matches a commercial 'guardian' suite, but it fetches and executes encrypted code from a remote payment server, injects watermarks into local Python files, and contains a self‑whitelisting install helper — these behaviors merit caution before installing.
Guidance: This package is plausible for a commercial 'guardian' suite, but several behaviors merit caution: - Remote code fetch & exec: The installer contacts a payment server (default https://skill.socialmore.net), creates an order, then downloads an encrypted payload and decrypts/executes it locally. That means code from the vendor will run on your machine — only proceed if you trust the vendor and the server. - Watermark injection: The included watermark.py will recursively inject license headers into Python files under a target directory. This modifies your installed code permanently; back up repositories and virtualenvs first, and do not run as root. - Self-whitelisting: The 'skill-safe-install' component contains a hard-coded whitelist that treats this author's skills as trusted and can bypass normal review steps. That reduces independent auditing of this package and bundled skills. - Default external endpoints: patch_integration creates a compaction-proxy routes.json pointing to a third-party LLM endpoint template (llmapi.lovbrowser.com) and expects API keys. Review and control any externally configured endpoints. Recommendations before installing: 1) Request a vendor-signed release or inspect the remote payload behavior (what oc_execute_skill does after fetching) — ideally get the plaintext code or a reproducible build. 2) Run the installer in an isolated environment (VM / disposable container) first to observe network calls and filesystem changes. 3) Back up ~/.openclaw and any code you care about; avoid running as root. 4) Verify the payment/oc-pay-server domain and SSL certs; prefer explicit OC_PAY_SERVER values you control. 5) If you require stricter audit, refuse auto-whitelisting and insist the package remove or document the whitelist mechanism. Given the mix of plausible commercial intentions and several risky implementation choices (remote exec, persistent watermarking, self-whitelist), treat this skill as suspicious until the vendor or maintainer supplies stronger transparency and assurances.

Review Dimensions

Purpose & Capability: noteThe skill claims to be a paid guardian bundle (configuration safety, rollback, monitoring, context proxy). Many artifacts align with that purpose (config validators, rollback, fswatch, health audit). However metadata and runtime files diverge: registry metadata declares no required env vars/binaries while _meta.json and scripts expect python3, curl, openssl and an OC_PAY_SERVER endpoint. Requiring a payment/license verification server and remote skill fetch is explainable for a commercial bundle, but the metadata omission (no required envs) is inconsistent and unusual.
Instruction Scope: concernSKILL.md directs users to run the bundled install.sh which sources lib/sdk/auth.sh. auth.sh contacts an external OC_PAY_SERVER to verify/create orders, then oc_execute_skill fetches an encrypted payload from that server and (via openssl) will decrypt/execute it in memory. The package also includes scripts that create/modify ~/.openclaw/* files, write a compaction-proxy routes.json with a third-party LLM endpoint template, and a watermark tool that will recursively modify Python files to insert licensed-to headers. Additionally, the included skill-safe-install contains a built-in whitelist that explicitly exempts this author's skills (including openclaw-guardian) from full review — effectively bypassing the normal safety review for the package itself. These are broad, persistent actions beyond simple installation and should be reviewed carefully.
Install Mechanism: concernThere is no formal install spec, but install.sh uses a bundled oc-pay-sdk to contact a remote server (default https://skill.socialmore.net) and then fetch encrypted skill contents for local execution. Remote fetch-and-execute of decrypted payloads (even in-memory) is high-risk because it runs code from an external server. The included files are local, but the runtime behavior depends on network downloads and openssl decryption — a privileged execution path that's disproportionate if you expect only local configuration tooling.
Credentials: noteRegistry-level 'required env vars' were empty, but the installer expects environment inputs at runtime (OC_PAY_SERVER may be set by the user; OC_ACCEPT_TERMS must be yes to proceed) and uses system identity (user@hostname) to form an identifier. The bundle also writes a routes.json template that expects an external API key. While payment flows commonly require a server endpoint, the mismatch between declared requirements and actual env/use of external endpoints is inconsistent. No explicit secret env variables are declared, but the package will handle license tokens and requests to external services — a reasonable need for a paid product, but still sensitive.
Persistence & Privilege: concernThe installer and helper scripts create and modify persistent files under the user's home (~/.openclaw), create backups, symlinks into .lib, and the watermark tool will modify arbitrary installed Python files under a target directory. The skill also embeds a whitelist mechanism that exempts its own author/skills from review. These actions create durable changes to the system and reduce future scrutiny, which increases risk.