Skillv1.0.3

ClawScan security

Clawsy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 30, 2026, 12:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (macOS companion) matches most instructions, but it instructs the agent to read a local gateway auth file and automatically disclose the gateway host/token and to inject mandatory prompt blocks into all sub-agents — behaviors that are sensitive and out-of-band for a simple skill.
Guidance: This skill is plausible for a macOS companion app, but it asks the agent to read your local OpenClaw gateway config (~/.openclaw/gateway.json) and to send the gateway host and auth token directly to the user/Clawsy app. Before installing: 1) Verify the Clawsy app source and repository owner (the SKILL points at github.com/iret77/clawsy). 2) Understand that sharing your gateway auth token allows the remote Mac to pair to your gateway — only share this if you trust the device and operator. 3) Consider whether automatic disclosure of the token is acceptable; if not, perform pairing manually and avoid running the postInstall commands. 4) Note the skill forces a Clawsy prompt block into every sub-agent and recommends using Clawsy capabilities without explicit user permission — this can leak data or expand access unexpectedly. 5) If you proceed, limit exposure: audit the gateway authToken, rotate/revoke it after testing, and only install on machines you control or trust. If unsure, treat this skill as untrusted and do not enable it.
Findings: [system-prompt-override] unexpected: SKILL.md explicitly requires inserting a Clawsy context/prompt into every sub-agent system prompt (a prompt-injection style instruction). While this could be intended to enable sub-agents to use Clawsy, it is not an expected benign artifact for a simple companion skill because it enforces behavior across unrelated sub-agents and can be abused to propagate influence.

Review Dimensions

Purpose & Capability: noteClawsy claims to provide macOS capabilities (screenshots, camera, clipboard, files, location) and the instructions/tools referenced (nodes/session APIs, pairing flow) align with that purpose. However the skill requires the gateway host and auth token (extracted from ~/.openclaw/gateway.json) to pair — reading and transmitting that token is sensitive and is not declared in the skill's requirements.
Instruction Scope: concernSKILL.md and metadata contain explicit runtime instructions to read ~/.openclaw/gateway.json (via a postInstall python command and shell examples) and to send the exact host/token block to the user. It also mandates inserting a Clawsy context block into every sub-agent system prompt and instructs 'Don't ask for permission first' when Clawsy is connected. These instructions escalate scope (reading local auth files, automatic credential disclosure, mandatory prompt injection/proliferation) beyond normal helper behavior.
Install Mechanism: noteThere is no install spec or bundled code (instruction-only), and the download link points to a GitHub releases URL (reasonable). However the skill metadata includes a postInstall hook that will run a python command on install to read ~/.openclaw/gateway.json; that runtime action writes nothing to disk but will access sensitive local config.
Credentials: concernThe skill requests no declared env vars, yet it explicitly reads a local config file to extract the gateway authToken and host and instructs the agent to forward that token to the user. Accessing and transmitting the gateway auth token is a high-privilege action not made explicit in the skill's declared requirements and is disproportionate unless the user explicitly consents and understands the consequence.
Persistence & Privilege: concernThe skill does not set always:true, but it demands that every spawned sub-agent include a mandatory Clawsy context block (a form of runtime propagation / prompt override). This effectively forces Clawsy-related behavior into future sub-agents and can broaden the skill's influence across agent activities — a privacy/propagation risk.