Skillv0.1.0

ClawScan security

Roty Tiffin Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 12:05 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally does what it claims (parse Telegram messages and POST an order) but the repository contains contradictory documentation, UI-automation scripts (Playwright) and plaintext credentials that are not justified by the SKILL.md, so you should review/clean these before trusting it.
Guidance: What to check before installing or enabling this skill: 1) Remove or isolate Playwright/automation files if you intend to enforce POST-only behavior. The SKILL.md forbids UI automation but the package includes Playwright templates and scripts that would perform browser actions and type credentials — delete or audit these files. 2) Verify the hardcoded POST endpoint and the provider who controls it. This skill will send parsed customer addresses, names, phone numbers, and order details to that URL. If you do not control or trust that endpoint, do not install or run it. 3) Treat embedded plaintext credentials as potential secrets: either confirm they are dummy/test values, or rotate any real credentials and remove them from code. Search the repo for any other hardcoded secrets. 4) Decide which dry-run policy you want and make it explicit: either set DRY_RUN=1 for testing or modify handle_message.py/RULES.md so both agree. Run many DRY_RUN tests with test messages to validate parser, pricing and payload shapes before allowing live posts. 5) Review allowed_users.json and onboarding behavior. onboard_product allows OpenClaw context to bypass admin checks; ensure only trusted processes can set OPENCLAW_CONTEXT. If you rely on human admin control, limit or remove openclaw bypass. 6) Consider a code cleanup: remove unused templates, strip credentials, and document which files are authoritative for runtime. After cleanup, re-run tests and only then enable the skill for autonomous invocation. If you want higher confidence I can: (a) list every file that contains literals resembling credentials or endpoints, (b) show the exact payload shape the skill will POST for a sample message, or (c) suggest a minimal trimmed package that implements only the POST path with no automation templates.
Findings: [playwright-automation-present] unexpected: SKILL.md explicitly forbids Playwright/UI automation, but repository contains Playwright/vision automation templates (roty_order_automation.py, roty_playwright_dryrun.py). Presence is inconsistent with stated POST-only behaviour. [embedded-plaintext-credentials] unexpected: roty_order_automation.py includes apparent plaintext credentials (email 'samwisethebot@gmail.com' and password 'Samwisethebot') and phone numbers that are not referenced in SKILL.md. Hardcoded credentials in code are a sensitive exposure and not justified by the SKILL.md. [hardcoded-endpoint-and-refs] expected: post_order.py and SKILL.md both hardcode the target POST endpoint and build_payload.py hardcodes userRef/vendorRef. Having a hardcoded endpoint is expected for an integration, but you should verify ownership/trust of that endpoint before sending customer data. [conflicting-dry-run-policy] unexpected: RULES.md claims dry-run-by-default and requires an explicit 'POST now' to send live orders; SKILL.md and handle_message.py default to live unless DRY_RUN=1. This inconsistency could cause accidental live orders. [product-hardCodedPrice-in-registry] unexpected: data/products_roty.json includes a 'hardCodedPrice' field for a product even though SKILL.md / RULES.md instruct never to use hardCodedPrice; this is an internal consistency issue.

Review Dimensions

Purpose & Capability: concernThe stated purpose is to parse Telegram messages and create orders via HTTPS POST, which matches the dispatcher, parser, pricing, payload builder, and post_order scripts. However the repo also contains Playwright/vision automation templates (roty_order_automation.py, roty_playwright_dryrun.py) and embedded login credentials which are outside the claimed 'POST-only / no UI automation' purpose — this is an unexpected capability and a coherence problem.
Instruction Scope: concernSKILL.md mandates a single entrypoint (scripts/handle_message.py) and says explicitly 'DO NOT use Playwright or browser automation'. The dispatcher and helper scripts follow that model. But several included scripts implement browser automation, take screenshots, and even type credentials; these files are not referenced by the SKILL.md execution path but remain in the package and contradict the declared runtime restrictions. Documentation also conflicts internally: SKILL.md requires immediate POST (no dry-run prompt) while RULES.md states dry-run by default.
Install Mechanism: okThere is no install spec (instruction-only install), so nothing is downloaded or auto-installed by the manifest. That minimizes install-time risk. The only code is bundled in the skill archive; no external URLs or extraction steps are present.
Credentials: concernThe skill declares no required environment variables, but the runtime uses DRY_RUN and OPENCLAW_CONTEXT environment variables (undocumented in requires.env). More importantly, several scripts contain hardcoded sensitive-looking values: a remote POST endpoint is hardcoded in SKILL.md and post_order.py, build_payload.py hardcodes userRef/vendorRef, and Playwright automation contains plaintext email/password and phone numbers. The embedded plaintext credentials and the external endpoint mean customer order data would be sent to an external host and that sensitive secrets are present in code — disproportionate given the stated safety rules.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It reads/writes only its own data files (e.g., data/allowed_users.json, products_roty.json). onboard_product allows bypass when OPENCLAW_CONTEXT is set (expected for platform-managed calls) but this is normal for admin-onboard flows.