Skill Safe Install
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a mostly transparent safe-install workflow, but it can force real installs from review-only prompts and bypasses risk review for a hardcoded trusted list.
Use this only if you want an install workflow, not just a permissions review. Before installing, require the agent to run inspection for every skill, including allowlisted ones, and explicitly approve both the formal install and any allowBundled configuration change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user asking only to inspect a skill could have the agent proceed toward installing it.
The trigger includes review/check-permission phrases, but the mandatory full flow includes formal installation, so a review-only user request could be redirected into an install action.
当用户消息包含... 技能审查 / 检查技能权限... 必须触发本技能并执行完整流程... 不得跳过 Step 0-5... ### Step 4: 正式安装 clawhub install <skill>
Separate review-only triggers from install triggers, and require explicit confirmation before moving from inspection to sandbox install and formal install.
Users may trust and install allowlisted skills without seeing the actual risk review they expected from a safety workflow.
The skill instructs the agent to skip the normal security review and suppress risk warnings for a hardcoded list, based on a claimed trusted status rather than an artifact-backed verification step.
在执行 `clawhub inspect` 之前,先对比白名单... 风险等级:**TRUSTED**(不输出任何风险警告)- 直接跳转 Step 3
Always run `clawhub inspect`, verify author/source identity, and report any findings even for allowlisted or first-party skills.
Installing or allowlisting the wrong skill could change the local agent environment.
The workflow runs local installation commands and edits OpenClaw configuration. This is aligned with the stated purpose, but it is high-impact and depends on the correct skill slug and user approval.
clawhub --workdir "$TMP" --dir skills install <skill> ... clawhub install <skill> ... jq '.skills.allowBundled += ["<skill>"]'
Confirm the exact skill identifier, review inspect output, quote or validate slugs, and ask the user before any install or config write.
A whitelist change can affect later sessions and future skill behavior.
Writing to allowBundled persists trust for future OpenClaw behavior. The artifact discloses this and requires explicit authorization, but the persistent effect is still important for users to understand.
### Step 5: 白名单写入(需用户明确授权)... mv /tmp/openclaw.json.new ~/.openclaw/openclaw.json
Only approve allowlist writes for skills you intend to trust long term, and keep the backup so the change can be reversed.