Skillv0.1.1

ClawScan security

Openclaw Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 6:44 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are consistent with a deployment/hardening helper for OpenClaw; it reads a .env, validates secrets, writes local ledger entries, and emits rollout plans — but there are a few metadata inconsistencies and local-file-write behaviors to be aware of.
Guidance: This skill appears to be a legitimate deployment and hardening helper for OpenClaw, but check these before you install/use it: - Metadata mismatch: the registry entry claims no required env vars, but SKILL.md and validate_openclaw_env.py require OPENCLAW_GATEWAY_TOKEN (and often an LLM API key). Treat OPENCLAW_GATEWAY_TOKEN and any LLM/provider keys as sensitive. - The scripts read a .env file and will report on key names, duplicate/malformed lines, placeholders, and weak secrets; they do not transmit secret values elsewhere, but you should never write real secrets into the ops ledger or commit .env files to git. - The skill writes files to your working directory (rollout plan and ops ledger). Review the generated files and ensure the ledger contains only metadata (names of profiles/keys), not secret values. - The provided tooling is planning/validation-focused — it does not perform provider deployments itself. When following provider playbooks (clone + deploy), verify any external commands or provider CLIs separately. - Recommended precautions: run the scripts in an isolated environment, inspect the three included scripts before executing, ensure .env contains only appropriate values, and confirm that you will not accidentally paste secrets into ledger fields or commit them to source control. If you want, I can point out the exact lines in the scripts that read/write files and the precise registry-vs-SKILL.md discrepancy to help you decide whether to proceed.

Review Dimensions

Purpose & Capability: okThe name/description (deploy, harden, operate OpenClaw) aligns with the included artifacts: a rollout planner, an env validator, and a ledger appender. The scripts and reference docs cover provider-specific checks, channel/integration smoke tests, and hard security gates that fit the stated purpose.
Instruction Scope: noteSKILL.md instructs the agent/operator to run the included scripts, validate a .env file, update an ops ledger, and follow provider playbooks. Those instructions stay within deployment/hardening scope. They do instruct reading a local .env (expected). The skill advises cloning the OpenClaw repo and performing provider deploys, but the provided scripts do not perform network deploys themselves — they are planning/validation helpers, not deployment automation.
Install Mechanism: okThere is no install spec or external download. All code is included in the skill (3 scripts + docs). No remote installers, no URL downloads, and no extract/execute of remote archives were found — this minimizes supply-chain install risk from the skill bundle itself.
Credentials: noteThe runtime docs and scripts clearly require a gateway token (OPENCLAW_GATEWAY_TOKEN) and, depending on profile, expect LLM provider keys (OPENAI_API_KEY or ANTHROPIC_API_KEY) and recommended provider tokens (e.g., FLY_API_TOKEN). However, the registry metadata at the top-level lists 'Required env vars: none' which is inconsistent with the SKILL.md/runtime_metadata and the validate script. The scripts only read .env files from disk (they do not transmit secret values), and the ops-ledger schema explicitly says not to record secret values — but the ledger appender will record metadata (profile and key names), so operators must ensure they do not pass secret values as ledger fields or commit .env into git.
Persistence & Privilege: okThe skill is not always-enabled. It writes files to the working directory (rollout plan output and the ops ledger) and will create the ledger file if missing. This is expected for an ops/ledger helper. It does not modify other skills or system-wide agent config, nor does it request elevated persistent privileges.