Skillv1.0.0

ClawScan security

Message Injector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 9:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, installation steps, and runtime behavior align with its stated purpose of prepending text to user messages; it does not request credentials or perform remote installs, but it does persistently modify gateway behavior so install carefully.
Guidance: This skill appears internally consistent with its purpose. Before installing: (1) Understand it will prepend configured text to every user message at the gateway level and agents cannot ignore it — this can change behavior across all users and channels in the workspace. (2) Back up ~/.openclaw/openclaw.json before editing so you can revert. (3) Keep prependText free of secrets or personally identifying data (it will be sent with every message). (4) Installation is manual: the provided code is short and readable; review the included scripts/index.ts yourself (it simply returns prependContext when configured). (5) If you share this workspace, coordinate with other users because the injection is global. If you want scoped or temporary injection, consider toggling enabled or using a different mechanism that targets specific agents or channels.

Review Dimensions

Purpose & Capability: okName/description claim to prepend text to every user message and the included plugin code and config schema implement exactly that behavior. There are no unrelated environment variables, binaries, or hidden capabilities requested.
Instruction Scope: noteSKILL.md instructs copying the provided plugin files into ~/.openclaw workspace and editing ~/.openclaw/openclaw.json — all actions relate to installing a workspace extension. The docs explicitly state the injection is applied at the Gateway level and cannot be skipped; this is expected but has privacy/behavioral impact (it affects every message). There are no instructions to read other unrelated files or transmit data externally.
Install Mechanism: okNo automated installer or remote download is used—installation is manual (copy local files and edit config). The package does not fetch archives or run external installers, so disk writes are limited to the extension directory and the user's OpenClaw config as instructed.
Credentials: okThe skill requires no environment variables, credentials, or special config paths beyond the workspace plugin placement and an entry in ~/.openclaw/openclaw.json. The runtime code accesses only the plugin config (prependText, enabled).
Persistence & Privilege: noteThe plugin is persistent as a workspace extension (enabled in openclaw.json) and will affect all agent messages in that workspace/channels while enabled. It is not marked always:true and does not autonomously add itself, but it does change gateway behavior globally for the workspace when installed.