Skillv1.0.1

ClawScan security

OpenClaw Safe Update · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 12:07 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions match its stated purpose (isolated verify-first OpenClaw upgrades); nothing requests unrelated credentials or surprising system access, though it does execute candidate package code fetched from npm which is an expected but risky action you should be aware of.
Guidance: This skill appears to do what it says: it downloads a candidate OpenClaw version into ~/.openclaw/versions, runs that candidate in an isolated sidecar on localhost to verify startup, and only performs a global npm -g install when explicitly asked. Before installing: 1) Understand that the script will download and execute code from the public npm registry (this is necessary for verifying the real package but is an execution risk). 2) Review the log at ~/.openclaw/logs/openclaw-sidecar-verify.log if verification fails. 3) Be aware that applying the upgrade runs npm install -g and may require sudo — only allow apply with explicit, informed consent. 4) If you need stronger isolation, run the script inside a disposable VM/container or audit the specific package version you plan to install. If you want higher assurance, request cryptographic signatures or a vetted release channel instead of arbitrary npm versions.

Review Dimensions

Purpose & Capability: okName/description (safe, isolated verify-first upgrades) aligns with required binaries (openclaw, node, npm, curl, bash), the included script, and the platform reference docs. All requested tools are expected for performing an npm-based sidecar verification and global npm install when applying.
Instruction Scope: okSKILL.md instructs the agent to run the bundled script and to default to verify-only, inspect logs on failure, and only apply on explicit confirmation. The script only touches ~/.openclaw (versions and logs), uses npm/node to fetch and run the candidate package locally, probes a loopback port, and does not read unrelated system files or exfiltrate data. Behavior stays within the described upgrade/verification scope.
Install Mechanism: noteNo external install spec (instruction-only with included script). The script uses npm to download package versions from the public npm registry and then executes the candidate's entrypoint with node. This is coherent for verifying a package but means the skill will download and execute third-party code from npm into the user's home directory — expected for the task but intrinsically higher-risk than pure configuration actions.
Credentials: okThe skill declares no required credentials and only uses common env overrides (OPENCLAW_VERSIONS_DIR, LOG_DIR, SIDECAR_*). There are no requests for unrelated secrets or system credentials. The need for sudo on global npm installs is noted in docs and is a standard platform permission issue, not a hidden credential request.
Persistence & Privilege: noteThe skill does not request always:true or other elevated platform privileges. It will create files under ~/.openclaw (candidate installs and logs) and may perform global npm install when run with --apply (which can require elevated permissions). The script itself defaults to verify-only and only applies when given --apply; however the agent could invoke the script with --apply if misused — the SKILL.md relies on the agent to ask for explicit user confirmation before applying.