Skillv1.0.0

ClawScan security

Portfolio Risk Sensemaker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 15, 2026, 11:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's SKILL.md says it's prompt-only, but the bundled handler reads a hard-coded user path on disk (with no sanitization), which is disproportionate and could allow reading arbitrary local files.
Guidance: This skill claims to be prompt-only but includes code that reads a hard-coded path under /Users/jianghaidong/.openclaw/skills/{skill_name} with no input sanitization. That enables a caller to cause the skill to read local files (path-traversal risk) and exposes a developer's home path. Before installing: (1) ask the author why the skill needs to read SKILL.md and remove that behavior if unnecessary; (2) request that file access be limited to the skill's own directory and that skill_name be validated/normalized (no '../'); (3) run the code in a sandboxed environment or review it locally; and (4) if you must install, do not grant it access to sensitive host files. If the author cannot justify the disk read, treat this as a red flag and avoid installing.

Purpose & Capability: concernThe skill is described as prompt-only and not needing any files or credentials, but handler.py contains code to load a SKILL.md from a hard-coded path (/Users/jianghaidong/.openclaw/skills/{skill_name}). Reading local skill files is unnecessary for a prompt-only portfolio analyzer and the hard-coded user path is unusual and disproportionate.
Instruction Scope: concernSKILL.md instructions do not mention reading disk files. The handler's _load_skill_meta opens a file based on the provided skill_name with no validation or sanitization, allowing the agent (or whoever calls handle) to trigger arbitrary file reads under that filesystem prefix — behavior outside the documented scope.
Install Mechanism: okNo install specification and no external downloads; the skill is instruction-only with two small local code files, so there is no elevated install risk.
Credentials: noteThe skill declares no environment variables or credentials (consistent with its description). However, the handler's file read is an undeclared capability to access local filesystem data, which is not captured by requires.env and so is under-specified and surprising.
Persistence & Privilege: okThe skill is not marked always:true and does not attempt to modify other skills or global agent settings. It does, however, read from disk when invoked, which is a runtime privilege but not persistent configuration.