Skillv0.1.1

ClawScan security

Openclaw Safety Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 8:26 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and required env/binaries are consistent with a local OpenClaw health-checker that posts reports to Feishu, but it performs broad local scans and will write cron/config state and run automatic low-risk fixes — review the setup and fix scripts before installing.
Guidance: This skill is coherent with its stated purpose (local watchdog that notifies via Feishu) but it will: (1) read many local files (LaunchAgents plist, exec-approvals, git working tree, workspace knowledge directories), (2) write config.json and register a scheduled cron job, and (3) may perform automated low-risk fixes (chmod). Before installing: review the actual contents of scripts/setup.py, scripts/fix_green.py, scripts/notify_feishu.py and scripts/upload_to_feishu_drive.py to confirm they only access/ship data you expect and that fixes are limited to safe operations. Consider running the pipeline manually in a safe environment (python3 scripts/run_pipeline.py) with FEISHU env vars unset to inspect outputs first. Because the source and homepage are absent and a base64-block was flagged by the scanner, exercise caution: prefer manual code review or running the code in an isolated/test environment before granting it access to your real Feishu credentials and production workspace.
Findings: [base64-block] unexpected: A base64-block pattern was flagged in SKILL.md by the pre-scan. The visible SKILL.md content does not obviously contain base64 payloads, so this could be either a false positive from the scanner or an obfuscated/encoded block elsewhere in the documentation files. Treat this as a caution: inspect SKILL.md and any embedded strings in scripts (especially setup.py, notify_feishu.py, upload_to_feishu_drive.py, and fix_green.py) for encoded payloads or hidden instructions before installing.

Review Dimensions

Purpose & Capability: okThe name/description promise a local watchdog that scans 7 dimensions and notifies via Feishu. Requested binaries (python3, node, npm) and environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET) match that purpose (Python scripts for probes and a Node frontend build; Feishu credentials for notification/upload). The included scripts (scan_*.py, generate_dashboard.py, notify_feishu.py, upload_to_feishu_drive.py, setup.py) align with the declared functionality.
Instruction Scope: noteSKILL.md tells the agent to run setup.py (which writes config.json and registers a cron job), then run run_pipeline.py to execute probes that scan code, plist/launch agents, exec-approvals, git repos, memory/knowledge dirs and other local paths. Those reads and writes are within the stated watchdog scope, but they are broad (system LaunchAgents, exec-approvals file, workspace files). The agent will also obtain the installer’s Feishu open_id from the conversation context to populate notify.receive_id — this is expected for automated notifications but is an access-to-conversation-context action worth noting.
Install Mechanism: okThere is no external install spec (no arbitrary download step); code is provided in the skill bundle and SKILL.md instructs running local Python/Node commands. This is lower risk than fetching executables from untrusted URLs. No installers or third-party URL downloads are referenced in SKILL.md.
Credentials: noteOnly FEISHU_APP_ID and FEISHU_APP_SECRET are declared and these are justified by the Feishu notification/drive upload functionality. However, the skill will read many local files/paths (plist, exec-approvals, workspace files, git repos) as part of scans; while coherent with the purpose, these are sensitive sources of data. The primaryEnv (FEISHU_APP_ID) is appropriate.
Persistence & Privilege: noteThe skill’s post-install setup writes config.json and registers a cron job under .openclaw/state/cron/jobs.json and instructs restarting the Gateway so daily scans run. It also includes an automatic 'fix_green.py' remediation step (documented as limited to chmod-like low-risk ops). These are reasonable for a scheduled watchdog but constitute persistent presence and the ability to modify local state/permissions, so audit the setup and fix scripts before granting runtime access.