Skillv1.0.0

ClawScan security

Stablecoin Use Check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 12:41 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be a prompt-only decision guide, but includes handler code that reads a hardcoded user path (and could be used to read other files), which is inconsistent and a potential privacy/exfiltration risk.
Guidance: This skill claims to be prompt-only but includes handler.py that reads a SKILL.md from a hardcoded directory (/Users/jianghaidong/.openclaw/skills/{skill_name}). That is inconsistent and could allow the skill to read files on the host. Before installing: (1) ask the author why handler.py must read local files and why a specific user path is hardcoded; (2) request removal of handler.py or that file reads be removed or sanitized (no absolute hardcoded home, no unsanitized skill_name); (3) if you must run it, do so in a sandboxed environment; (4) verify tests actually exercise file I/O — the provided test calls handle({}) but the handler will attempt to open a file, which is another inconsistency that should be resolved. If you don't trust the author or they cannot justify the file access, do not install.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a prompt-only decision guide with no platform integration, yet the repository contains handler.py that reads a SKILL.md from an absolute path under /Users/jianghaidong/.openclaw/skills/{skill_name}. Reading local files is not needed for a prompt-only guide and therefore does not align with the stated purpose.
Instruction Scope: concernThe runtime instructions explicitly say 'Prompt-only, no platform integration', but handler.py attempts to open and read a local SKILL.md file. The SKILL.md instructions do not mention any file reads or accessing the user's filesystem. The handler accepts a skill_name and constructs an unsanitized path, which could enable reading unexpected files if manipulated.
Install Mechanism: okThere is no install specification (instruction-only), so nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials: concernThe skill declares no environment variables or credentials, yet the code accesses a hardcoded user home path (/Users/jianghaidong/...). Accessing local configuration files is not declared in the metadata and is disproportionate to a prompt-only decision guide. The code also lacks path sanitization, raising potential file-access/exfiltration concerns.
Persistence & Privilege: okThe skill is not set to always:true and does not request persistent presence or modify other skills. There is no declared autonomous privilege escalation beyond the normal agent invocation model.