Skillv1.0.2

ClawScan security

Looking for Someone · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 21, 2026, 11:22 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with a local, offline missing-person case manager: it stores JSON files under the user's home, has no network calls or credential requests, and its CLI matches the documented capabilities.
Guidance: This skill appears to do what it says: a local CLI that manages missing-person cases and produces guidance and notices. Before installing or using it: 1) Note that case data is stored as plain JSON under ~/.openclaw/skills-data/looking-for-someone/ with no encryption—do not store highly sensitive identifiers unless you accept that risk. 2) The bundle lacks an included test.js referenced in the docs and the provided CLI snippet in the listing was truncated; inspect scripts/cli.js in your environment to ensure the notice-generation functions and there are no unexpected network calls before running. 3) Run the CLI in a restricted/sandboxed environment until you’re comfortable with its behavior, and back up or securely delete data when no longer needed. 4) If you plan to share generated notices publicly, follow the privacy guidelines included in the references and coordinate with authorities for high-risk cases.

Review Dimensions

Purpose & Capability: okName/description match the files and behavior: a local CLI for creating/listing cases, adding clues, generating notices, and offering guidance. There are no unexpected external credentials, binaries, or remote services required.
Instruction Scope: noteRuntime instructions are narrowly scoped to the local CLI and documented JSON storage. Two minor issues: SKILL.md's testing instruction references node test.js but no test.js is present in the file manifest; and the SKILL.md excerpt of scripts/cli.js shown in the bundle is truncated in the provided listing (some functions referenced by the CLI, e.g., notice-format generators, are not visible in the excerpt). These are likely packaging/documentation oversights rather than malicious behavior.
Install Mechanism: okNo install spec; this is instruction-only plus an included CLI script. No downloads, package installs, or archive extraction are declared.
Credentials: noteThe skill requests no environment variables or credentials. It stores potentially sensitive case data in plain JSON under ~/.openclaw/skills-data/looking-for-someone/ and explicitly documents lack of field-level encryption. The local storage is proportional to the stated purpose but is sensitive—users should expect that data is unencrypted and therefore should avoid storing highly sensitive fields or should manage file system permissions/backups carefully.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-level privileges. It only writes to its own data directory and does not modify other skills or global agent settings.