Skillv1.5.0

ClawScan security

Openclaw Health Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 19, 2026, 5:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, scripts, and runtime instructions are coherent with its stated purpose (local OpenClaw health audit and conservative auto-fix); there are minor documentation inconsistencies but no obvious attempts to exfiltrate secrets or download arbitrary code.
Guidance: This skill appears to do what it says: local inspection of OpenClaw files, optional registration of a 48h health-check cron job, and conservative auto-fixes (cron/session). Before installing, consider: 1) Back up ~/.openclaw/cron/jobs.json and ~/.openclaw/.lib/session_model_state.json so you can revert changes. 2) Run the wizard and health_monitor in --dry-run first (audit_wizard.py offers this). 3) Confirm the agent/system that will execute cron job payloads (the 'agentTurn' payload instructs sending reports via Telegram/Discord) — ensure those outbound connectors and recipients are trusted because reports will contain local audit data. 4) The documentation contains a small contradiction (claims 'Does NOT send data to external servers' yet describes sending via Telegram/Discord); treat reporting as network-capable behavior originating from your configured agent, not from the Python scripts themselves. 5) If you rely on the openclaw CLI for usage-cost, ensure its stored credentials are scoped appropriately. If you want higher assurance, inspect scripts (they are included) and run them in a controlled environment before enabling auto-fix or registering the cron job.

Review Dimensions

Purpose & Capability: okThe name/description (health audit, cron/session/token checks) match what the code does: it reads ~/.openclaw files (openclaw.json, session_model_state.json, cron jobs), measures prompt file sizes, inspects message-injector/index.ts and pools/session state, and can register/modify a local cron jobs json. No unrelated credentials or cloud APIs are requested by the skill itself.
Instruction Scope: noteSKILL.md and the scripts explicitly read and (when asked) write local OpenClaw config and cron job files and run local Python scripts — that is expected. Minor inconsistency: SKILL.md's security table says 'Does NOT send data to external servers', but the cron job prompts and documentation instruct the agent to 'send the report to the user (Telegram/Discord)'. The skill itself does not directly implement network exfiltration, but scheduled agent runs or the agent that executes the cron payload can deliver reports over network connectors.
Install Mechanism: okNo network downloads or package installs. install.sh and the two Python scripts run locally; audit_wizard writes config and optionally appends a cron job to ~/.openclaw/cron/jobs.json. This is a low-risk install mechanism (no remote code fetches or archive extraction).
Credentials: okThe skill requests no environment variables and no primary credential. It invokes the local 'openclaw' CLI for usage-cost reporting (via subprocess) which is appropriate for token-trend checks; that CLI may itself rely on stored gateway credentials — this is expected for the purpose. No extraneous secrets or unrelated service credentials are requested by the skill.
Persistence & Privilege: okalways:false and default autonomous invocation are preserved. The skill writes its own config and can register a cron job under ~/.openclaw, which is appropriate for a monitoring tool. It does not modify other skills' code or system-wide settings outside the OpenClaw workspace.