Skillv1.0.2

ClawScan security

Private Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 10:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variables are coherent with its stated purpose (an outbound-only WebSocket relay for remote control) and do not request unrelated credentials or system access.
Guidance: This skill appears internally consistent, but it gives a remote operator the ability to send prompts, trigger workflows, and restart your OpenClaw instance over an authenticated outbound channel. Before installing: only configure a relay URL you trust, treat AUTH_TOKEN like a secret and rotate it if compromised, review the relay operator's privacy/persistence guarantees (the client cannot enforce server-side retention), run the skill on a host with appropriate isolation/permissions, and monitor logs/network usage. If you need stronger assurance, review the relay server code or host your own relay.

Review Dimensions

Purpose & Capability: okName/description (PrivateBridge / remote-relay) match the included code: the RelayClient opens an outbound WebSocket to a configured relay, authenticates with a token and node_id, sends heartbeats, and dispatches capability-scoped commands (prompt, status, restart, workflow). Required env vars (RELAY_URL, NODE_ID, AUTH_TOKEN) align with functionality.
Instruction Scope: okSKILL.md instructs only to configure relay_url/node_id/auth_token and start OpenClaw; the runtime code only uses those values and the provided OpenClaw runtime interface. The instructions do not ask the agent to read other files, environment variables, or system configuration. Note: SKILL.md asserts the relay does not persist prompt content — that is a promise by the remote operator and cannot be verified from the client code.
Install Mechanism: okThere is no install script or external download. The package is instruction- and code-based with local TypeScript files; nothing in the manifest pulls third-party binaries or remote archives during install.
Credentials: okThe skill requires exactly three env/config values: relay URL, node id, and auth token. Those are appropriate and proportional to establishing an authenticated outbound relay connection. No unrelated secrets or system credentials are requested.
Persistence & Privilege: okThe skill is not forced-always-installed (always: false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is consistent with the skill's purpose (it needs to receive remote commands while running).