Skillv0.2.1

ClawScan security

RescueClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 9:39 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: RescueClaw's files and instructions are internally consistent with a user-local checkpoint/rollback helper, but the installer and examples have a few implementation and trust pitfalls you should review before installing.
Guidance: This skill appears to do what it claims (create/clear checkpoint files and invoke a user-local daemon), but before installing: 1) Review the upstream GitHub repository and the exact release asset (verify that the release author is trusted). 2) Prefer installs with checksums/signatures — the installer does not verify them. 3) Inspect the downloaded binary (or run it in an isolated environment) before trusting it, since the installer extracts a tarball from Releases. 4) Note that example code uses systemctl (requires privileges) and uses '~' in paths (Node won't expand it automatically) — fix these when you adapt the examples. 5) Ensure ~/.local/bin is in your PATH and that you are comfortable with a user-local daemon being available for the agent to call. If you need higher assurance, request a signed release or build the daemon from source yourself.

Review Dimensions

Purpose & Capability: okThe skill's name/description (checkpoint + rollback for risky operations) matches the provided code and runtime instructions: rescueclaw-checkpoint.js creates/clears a checkpoint file and queries a user-local daemon; install.js installs a user-local daemon binary. No unrelated credentials, services, or capabilities are requested.
Instruction Scope: noteSKILL.md and the API expose exactly the checkpoint operations. However, example usage includes privileged operations (e.g., restarting a system service via systemctl) and uses a literal '~' in fs.writeFileSync (Node.js does not expand ~ automatically), which is a bug/ambiguous guidance. The docs instruct agents to call the daemon CLI (rescueclaw status) and to write checkpoint files under ~/.openclaw/rescueclaw — both are within the skill's stated scope, but the example's systemctl usage requires elevated privileges and is not something the skill can safely perform on behalf of a user without explicit consent.
Install Mechanism: noteInstallation downloads a tar.gz from a GitHub Releases URL (well-known host) and extracts it into ~/.local/bin; this is a common pattern. Concerns: the installer doesn't verify checksums or signatures, extracts archives directly (tar extraction can be abused if upstream is compromised), and uses curl/tar via execSync (the script itself invokes shell commands). The install targets user-local paths (no sudo required), which limits system-wide impact.
Credentials: okThe skill requests no environment variables, no credentials, and stores data under the user's home directory (~/.openclaw/rescueclaw). The code does call external binary 'rescueclaw' when present, which matches the skill's role. There are no extraneous secrets or unrelated env access.
Persistence & Privilege: noteThe skill does create persistent artifacts: it installs a daemon binary to ~/.local/bin/rescueclaw and stores checkpoint data under ~/.openclaw/rescueclaw/. always is false (not force-included). The agent is allowed to invoke the skill autonomously by default (normal for skills); this combined with a long-lived daemon means the binary could be executed by the agent later — review the binary from upstream before trusting it.