Skillv2.2.0

ClawScan security

Skill Safe Install · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 6:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (a strict, auditable install workflow) matches its instructions, but there are meaningful inconsistencies and trust decisions (undeclared config edits, undeclared CLI dependencies, and a hardcoded trust whitelist) that you should review before installing.
Guidance: This skill implements a reasonable secure-install workflow, but review these points before installing: (1) Confirm you accept the hardcoded trusted-author whitelist (halfmoon82 / deepeye) — those skills will skip risk review. (2) The instructions edit ~/.openclaw/openclaw.json using jq; ensure you (or the agent) explicitly authorize Step 5 and that backups are retained. (3) Ensure the runtime environment actually has clawhub, jq, mktemp, cp, mv available — the skill metadata does not declare these dependencies. (4) Consider running the sandbox install commands manually first to validate behavior, and verify that any automated consent/whitelist write is logged and reversible. If you need higher assurance, request the author to (a) declare required binaries/config paths in metadata and (b) make the trust whitelist configurable rather than hardcoded.

Review Dimensions

Purpose & Capability: noteThe skill's name and description align with the runtime instructions: it enforces a 6-step install workflow (duplicate check, search, inspect, sandbox, install, whitelist). However it hardcodes a first‑party trust whitelist (authors halfmoon82 / deepeye) that exempts those skills from risk review — this is a governance decision that could legitimately exist but must be consciously accepted by operators.
Instruction Scope: concernThe SKILL.md instructs the agent to read and modify the user's OpenClaw config (~/.openclaw/openclaw.json) (backup + jq edits). It also requires running system commands (clawhub, mktemp, jq, cp, mv) and performing installs in an isolated workdir. Those file-path modifications and command executions are within the skill's stated purpose, but modifying the agent's config is a sensitive action and the SKILL.md relies on a user consent step — ensure that consent is enforced and auditable.
Install Mechanism: noteThis is instruction-only (no install spec, no code files), which is lowest install risk. Still, the instructions assume presence of specific CLI tools (clawhub, jq, mktemp) even though the skill declares no required binaries; that's an operational mismatch to be aware of.
Credentials: concernThe skill declares no required env vars or config paths, yet the runtime instructions explicitly read and write ~/.openclaw/openclaw.json and rely on jq and clawhub. The implicit requirement to edit the agent's config and to run external binaries is not reflected in the declared metadata — a proportionality mismatch that should be fixed or acknowledged.
Persistence & Privilege: noteThe skill can cause persistent changes by appending skills to the allowBundled whitelist. The SKILL.md states Step 5 requires explicit user authorization, which mitigates risk. It does not set always:true, and it does not request autonomous always-on privileges — but modifying the agent config is a powerful action and should only be allowed after clear, logged consent.