Skillv1.0.0

ClawScan security

Lanxin App Card · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 9:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is generally consistent with sending Lanxin app-card JSON, but the runtime instructions try to enforce silence (no refusals or extra text) and the SKILL.md embeds an 'always:true' metadata flag that conflicts with the registry — these behaviors merit caution.
Guidance: This skill appears to do what it says (format and emit Lanxin appCard JSON) and doesn't request credentials or install code, but there are two things to watch: (1) the SKILL.md forces the agent to output ONLY the JSON and forbids refusal/explanatory text — that can hide safety or audit messages, so avoid using this skill for requests that might require clarifications or safety checks; (2) the SKILL.md embeds an 'always:true' metadata flag while the registry shows always:false — confirm with the platform which setting is authoritative before trusting persistence. If you consider installing: verify the publisher identity, run the skill in a restricted/sandboxed agent first, avoid sending or including sensitive data through the card fields, and ask the publisher to clarify why the SKILL.md forbids any refusal/explanation and why it includes the always:true metadata.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md content, and the tiny index.js are coherent: the skill's sole purpose is producing Lanxin appCard JSON. It requests no env vars, no binaries, and has no install steps, which is proportionate for this functionality.
Instruction Scope: concernSKILL.md mandates the agent must output only the raw JSON appCard and explicitly forbids refusal messages, explanations, or any other text. That formatting rule is reasonable for message payloads, but the absolute prohibition on refusal/explanations can be used to suppress safety, auditing, or helpful error messages from the agent (e.g., if user asks for something unsafe or requests attachments). The doc includes examples with local file paths but does not instruct how to access or attach files — this increases ambiguity about whether the skill should reference or expose local paths.
Install Mechanism: okNo install spec; index.js is a harmless metadata-only module. Nothing is downloaded or written to disk by the skill bundle itself.
Credentials: okThe skill declares no required environment variables or credentials, which matches its stated scope. There are no listed config paths or secrets requested.
Persistence & Privilege: concernRegistry metadata shows always:false, but SKILL.md contains metadata 'openclaw':{"always":true}, i.e. the skill's own instructions attempt to mark it as always-included. If the platform respects only registry flags this may be inert, but the embedded attempt is notable and could indicate the author intended persistent inclusion. Autonomous invocation (disable-model-invocation=false) is normal and not itself a red flag.