Skillv1.0.0

ClawScan security

Crypto Budget Boundary Planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 15, 2026, 11:36 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill is described as prompt-only, but includes code that reads a hardcoded user filesystem path, which is inconsistent and may access local files it doesn't need to.
Guidance: This skill's description says it's prompt-only, but the included handler.py tries to open /Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md. Before installing or enabling it, either (1) ask the author why the code needs to read a hardcoded path and request removal of filesystem access, (2) inspect/run the code in a sandboxed environment, or (3) reject the skill. If you must test it, run it in an isolated VM/container and search for any other hardcoded paths or network calls. The current mismatch between the prose and the code is a privacy risk (local file reads) and should be resolved before use.

Review Dimensions

Purpose & Capability: concernSKILL.md and the description present this as a prompt-only budgeting helper (no account integration, no I/O). However handler.py attempts to read a local SKILL.md from a hardcoded absolute path (/Users/jianghaidong/.openclaw/skills/{skill_name}/SKILL.md). Reading arbitrary files under a user's home directory is not necessary for the stated purpose and is disproportionate.
Instruction Scope: concernThe runtime instructions (SKILL.md) never instruct reading local files or accessing the host filesystem. The included handler.py violates that scope by opening a host file path. This is hidden scope creep: the prose says "prompt-only" but code performs filesystem access.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk normally, but this package includes Python code files. That means if the skill is loaded/executed, the embedded code will run despite no install steps being declared. There is no external download or suspicious installer URL.
Credentials: concernThe skill declares no environment variables or credentials, yet the code attempts to access a specific filesystem location in a user's home directory (hardcoded username). Requesting or reading host-local files is not justified by the budgeting purpose and is disproportionate to the stated needs.
Persistence & Privilege: okThe skill does not request always:true and has no install hooks or claims to modify other skills or global settings. Autonomous invocation is allowed by default, but that alone is not an additional red flag here.