Skillv1.0.0

ClawScan security

skill scan and detect risk · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 1:52 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (scanning installed skills) but contains inconsistencies and a hook that modifies the agent system prompt — a combination that deserves caution before installing.
Guidance: This skill appears to implement a legitimate local scanner, but there are two things to check before installing: 1) Inspect and control the hook: hook/shield-scan.js runs a local Python startup script and appends its output to the agent's system prompt. That behavior can change agent behavior broadly (prompt injection). If you install, either remove or disable the hook, or ensure the referenced startup script is present, simple, and cannot be modified by untrusted parties. 2) Fix the inconsistency: SKILL.md claims hook/auto-check is 'planned', but a hook file exists and it references scripts/tui-startup.py which is missing. Ask the author why the hook is present and what the startup script should do. If you can't verify the startup script's content, do not enable the hook. Other precautions: review config.json allowlist entries (ensure you trust the listed skills), run the scanner in a sandbox first, and limit write permissions to ~/.openclaw/workspace/skills so attackers cannot replace the startup script or other scanner files. If you need a short recommendation: keep the scanner code (scripts/shield.py) but remove/disable the JS hook until its behavior is audited.

Review Dimensions

Purpose & Capability: okName/description match the code: the Python scanner scans ~/.openclaw/workspace/skills for keywords, builds a risk DB, and offers allowlist/blocked behavior. Required binary (python3) is appropriate and no unrelated credentials or external binaries are requested.
Instruction Scope: concernSKILL.md and scripts describe scanning skills directory, reading SKILL.md and scripts/, saving a local JSON DB — this is within scope. However, SKILL.md states 'Hook机制/自动检查' is planned/not implemented, yet a hook file (hook/shield-scan.js) exists and is registered for 'session-start'. The hook executes a startup Python script and appends its output to context.systemPrompt, which can influence the agent globally. That hook references scripts/tui-startup.py which is not present in the package (missing file) — an incoherence that could cause runtime errors or be abused if that file is later added/modified.
Install Mechanism: okNo install spec (instruction-only install) and only a python script + small JS hook included. Nothing is downloaded from external URLs, no extract steps, and required binaries are minimal (python3).
Credentials: okNo environment variables, no credentials, and no config paths beyond normal per-skill config (config.json under the skill and a memory JSON under ~/.openclaw). The scanner reads files under the skills directory as expected; it does not contain explicit network or credential exfiltration code in the provided files.
Persistence & Privilege: concernThe hook modifies context.systemPrompt by appending scan output. While the skill is not marked always:true, this hook will run at session-start (if the platform loads hooks), giving it an effective injection channel into agent prompts. Appending arbitrary script output into the system prompt is a potential prompt-injection vector and is disproportionate unless the startup script output is strictly controlled and sanitized. Also the code references a startup script that is missing, an inconsistency that should be resolved.