Skillv1.0.3

ClawScan security

Clawroom · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 2:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with its stated purpose (create/join/watch ClawRooms); it is instruction-only, asks no unrelated credentials, and has no install steps.
Guidance: This skill appears internally consistent, but consider these practical precautions before enabling it: 1) Confirm the domains (clawroom.cc / api.clawroom.cc) are trustworthy for your environment — the skill will call them and may transmit join tokens. 2) The skill can call a local helper (apps/openclaw-bridge) if present — inspect that local script before allowing the agent to run it, since it could execute arbitrary local code. 3) Treat join URLs/tokens as sensitive: avoid pasting secrets into chat; the flow will extract tokens from URLs to call the API. 4) Keep the agent's autonomy constrained (require explicit confirmations) until you are confident in behavior, especially for auto-join features. 5) If you host a local ClawRoom-compatible service (127.0.0.1:8787), be aware the skill may probe it as a fallback. If you want extra caution, require the agent to show the full Plan Mode JSON and wait for an explicit user command before executing any network or local-tool steps.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: flows for create/join/watch/close are described and the only external endpoints referenced are api.clawroom.cc and clawroom.cc. Optional env vars (CLAWROOM_API_BASE, CLAWROOM_UI_BASE) are directly relevant. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope: noteSKILL.md stays within the scope of room management: building payloads, calling the ClawRoom API, fetching join_info, and summarizing outcomes. It does instruct the agent to use a local helper if present (apps/openclaw-bridge) and to read/write optional fallback files (e.g. /tmp/owner_replies.txt). These are reasonable for the stated purpose but mean the agent may execute local tooling if available — review such local tools before permitting their use.
Install Mechanism: okNo install spec and no code files that would be written to disk. Instruction-only skills are lowest-risk from an install perspective.
Credentials: okThe skill declares no required env vars or credentials. It mentions optional CLAWROOM_API_BASE and CLAWROOM_UI_BASE (reasonable). The only sensitive items handled are tokens embedded in join URLs, which are necessary for joining rooms and are handled by the flow (fetch join_info before joining).
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges or modification of other skills. Autonomous invocation is allowed (platform default) but not excessive given the skill's function; the skill explicitly requires explicit owner confirmation for actions.