Skillv2.0.4

ClawScan security

Checkmate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 11:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior matches its stated purpose (a loop that spawns worker/judge agent sessions) but it requires high runtime privileges, relies on gateway OAuth and live-session injection, and there are a few metadata/instruction inconsistencies you should understand before use.
Guidance: This skill appears to implement what it claims (a deterministic orchestration loop that spawns worker and judge agent sessions), but it requires high runtime privileges and implicitly uses the platform's OAuth and other installed skills. Before installing or running it: - Confirm the 'openclaw' CLI and Python 3 requirement (registry metadata incorrectly lists no required binaries). - Run only in interactive mode by default; avoid --no-interactive / batch mode unless you fully trust the task and environment. - Do not pass secrets or sensitive credentials inside the task text or workspace. - Audit the included scripts (scripts/run.py and workspace.sh) yourself (they are small and present in the package). Pay special attention to any places where the orchestrator injects messages or writes files. - Consider running first in an isolated environment (a throwaway agent account or restricted OpenClaw instance) that does not have OAuth access to sensitive skills (email, Drive, cloud provider connectors). - If you must run in production, restrict which skills/credentials are installed on that agent gateway or require manual checkpoints for every iteration. Because workers inherit broad capabilities and the skill can bridge user replies to disk and inject live session turns, treat it like code execution: only run with explicit, limited trust and proper operational safeguards.

Review Dimensions

Purpose & Capability: noteThe skill name/description (iterative worker→judge loop) align with its code and runtime instructions: it spawns agent sessions via the OpenClaw CLI, judges outputs, and notifies users. However the registry metadata claims no required binaries/env vars, while SKILL.md and run.py clearly require the 'openclaw' CLI and Python 3. This metadata mismatch is an incoherence you should confirm with the publisher.
Instruction Scope: concernThe orchestrator injects turns into live sessions and spawns worker/judge agent sessions that 'inherit full host-agent runtime' (exec, web_search, web_fetch, all skills including OAuth-bound credentials, and sessions_spawn). The SKILL.md and run.py explicitly implement a bridging mechanism that instructs an agent to write user replies to disk. Those instructions are coherent with the skill's purpose, but they give any worker you spawn broad access to local and connected resources — enough to read or use other skills' credentials or execute arbitrary commands if the task or prompts are malicious or malformed.
Install Mechanism: okThere is no automated install script or remote download; the skill is distributed as files and expects 'openclaw' in PATH and Python 3. No external URLs or archive extraction are used. That lowers install-time risk, but you still run a local Python script that performs networked actions.
Credentials: concernThe skill declares no required environment variables, which is reasonable, but it depends on the platform's OAuth (gateway) and on other installed skills' credentials implicitly — and worker sessions explicitly inherit access to those OAuth-bound skills. That is a powerful capability: a worker could (if instructed) use Gmail/Drive/other skills or spawn further sessions. The implicit use of gateway OAuth and the absence of explicit credential disclaimers in metadata are notable and should be evaluated before granting trust.
Persistence & Privilege: concernThe skill is not forced-always, but it spawns background processes and agent sessions that inherit full runtime privileges. It supports a batch (--no-interactive) mode that removes human checkpoints, enabling fully autonomous operation with access to OAuth-bound skills. Combined with the worker privilege model, this gives a high blast radius if a run is misconfigured or given an untrusted task.