clawnedhub - Scan and Security your OpenClaw Instances
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for OpenClaw security inventory and scanning, but users should be comfortable with Clawned receiving skill inventory data and explicitly scanned source files.
This looks coherent for a security dashboard skill. Before installing, make sure you trust Clawned with your installed-skill inventory, hostname/OS metadata, and any source files you explicitly scan. Keep CLAWNED_SERVER pointed at the intended service, do not scan directories containing secrets, and enable the cron schedule only if you want ongoing background sync.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can authenticate to Clawned and can access your OpenClaw configuration file while discovering installed skills.
The skill uses a provider API key and opens the OpenClaw config file to find skill directories. The shown code only uses extraDirs and sends the API key as an Authorization header to Clawned, which is expected for this integration.
CLAWNED_API_KEY = os.getenv("CLAWNED_API_KEY", "") ... cfg = json.load(open(os.path.join(home, ".openclaw", "openclaw.json"))) ... cfg.get("skills", {}).get("load", {}).get("extraDirs", [])Use a dedicated Clawned API key, keep the server URL set to the intended Clawned endpoint, and review the complete script if your OpenClaw config contains highly sensitive values.
If you run scan --path, source and configuration-like files from that directory may leave your machine for server-side analysis.
The skill explicitly discloses that a user-requested scan uploads source file contents to the Clawned server. This is purpose-aligned, but it is a sensitive external data flow.
During `scan --path` ... Reads source files (`.md`, `.py`, `.js`, etc.) from the specified skill directory for analysis ... File contents are sent to the Clawned server for security analysis
Only scan skill directories you intend to share with Clawned, and avoid scanning directories that may contain private secrets or unrelated project files.
Clawned may receive basic device-identifying information, not just installed skill metadata.
The SKILL.md privacy section emphasizes that sync sends only skill metadata, while the code also registers the agent with hostname and OS. This appears useful for a dashboard agent, but users should notice the extra device metadata.
api_request("/api/skills/agent/register", {"hostname": platform.node(), "os_platform": platform.system().lower()})Assume the dashboard can see your machine hostname and OS platform; change your hostname or avoid sync if that information is too sensitive.
If enabled, the skill can keep syncing your skill inventory to Clawned periodically.
The documentation provides an optional recurring sync schedule. It is disclosed and user-configured, not hidden persistence.
Schedule every 6 hours via OpenClaw cron: ... "schedule": "0 */6 * * *" ... "command": "Run clawned sync to check all installed skills"
Only enable the cron job if you want recurring background inventory sync, and remove the job when you no longer need it.