Jason's OpenClaw Security Scanner
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent OpenClaw security scanner, but users should notice that it reads local configuration/workspace files and can apply automatic fixes that modify OpenClaw files.
This skill appears purpose-aligned for local OpenClaw security review. Before installing or running it, be aware that it scans local OpenClaw workspace files for secrets and that '--fix-all' may modify configuration, permissions, or rule files. Prefer running the scan first and using interactive fixes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with automatic repair, the skill may change local configuration, permissions, or agent instruction files.
The skill documents an automatic repair mode that can apply all detected fixes. This is disclosed and aligned with the scanner purpose, but it can modify local OpenClaw-related files without per-item confirmation.
python3 scripts/scan_security.py --fix-all
Run the normal scan first, then use '--interactive' to approve each fix unless you are comfortable with all proposed changes.
Local service secrets may be read and included in internal fix data while the scan runs.
The script reads OpenClaw configuration and processes a Feishu app secret when present. This is expected for a security scanner, but it means the tool handles credential-like data.
config_file = self.openclaw_dir / "openclaw.json" ... feishu.get("appSecret") ... "var_value": secret_valueRun the scanner only in the intended local environment and avoid sharing raw scan output if it may contain configuration or secret details.
Private workspace files may be inspected during scanning for secrets.
The script recursively scans the OpenClaw workspace for sensitive patterns such as API keys, passwords, tokens, and private keys. This is purpose-aligned but involves reading potentially private local files.
self.workspace_dir = Path(workspace_dir or os.path.expanduser("~/.openclaw/workspace")) ... for root, dirs, files in os.walk(self.workspace_dir):Run it only on workspaces you intend to scan, review ignore rules, and keep reports local unless you have checked them for sensitive content.
Users have less external context for trusting the script's origin or maintenance history.
The registry metadata does not provide a source repository or homepage. No hidden installer or dependency chain is shown, but provenance is limited.
Source: unknown; Homepage: none
Review the included script before running fixes, especially because it can read local configuration and modify OpenClaw files.