Skillv0.1.0

ClawScan security

OpenClaw 维护脚本 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 4:01 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The scripts appear to implement the described OpenClaw maintenance features, but the package metadata omits required environment/credential expectations and the runtime scripts perform privileged local actions (restarting services, switching proxies, sending notifications) that you should explicitly review before installing.
Guidance: This package's scripts do what the README says (monitor health, restart the gateway, switch Clash proxies, clean logs), but note two issues before installing: 1) the registry metadata does not declare the sensitive environment variables the scripts expect — you must provide OPENCLAW_NOTIFY_TARGET and, if using proxy switching, CLASH_API and CLASH_SECRET; 2) the scripts will invoke your local openclaw CLI to restart the gateway and will make network calls (to the local Clash API and to a public URL used for latency tests). Before installing, review and verify: the .env.example contents, the hard-coded OPENCLAW_BIN path (/opt/homebrew/bin/openclaw), what the openclaw CLI does and what credentials it stores, and that your Clash API is local and trusted. If you plan to deploy as a service (systemd/LaunchAgent), inspect or create the service/Plist files yourself rather than blindly loading unreviewed units. If you cannot audit or trust these scripts, avoid running them as-is or run them in a controlled environment (test machine/container) first.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md align with the stated purpose (gateway health checks, safe restarts, proxy switching via a local Clash API, log cleanup). However the registry metadata declares no required environment variables or credentials while the instructions and scripts clearly require and use sensitive variables (e.g., OPENCLAW_NOTIFY_TARGET, CLASH_API, CLASH_SECRET, OPENCLAW_BIN). This mismatch is unexpected and worth noting.
Instruction Scope: okRuntime instructions and scripts stay within the maintenance domain: they check a health endpoint, call the local Clash API, switch proxies, invoke the local openclaw CLI to restart/start/stop the gateway, write logs under ~/.openclaw, and manage a /tmp lock file. There are network calls (to local Clash API and to external DELAY_TEST_URL defaulting to api.telegram.org for latency tests) and a notification path that uses the openclaw CLI to send Telegram messages. The scope is narrowly focused on maintenance and monitoring; no unrelated system file reads or remote code downloads are triggered by the scripts themselves.
Install Mechanism: okNo remote install steps or downloads are present; install.sh simply copies bundled .sh files to ~/.openclaw/scripts and makes them executable. This is low-risk from an installation mechanism standpoint (no external archives or URLs executed).
Credentials: concernThe package metadata lists no required env vars, but SKILL.md and the scripts require sensitive configuration: OPENCLAW_NOTIFY_TARGET (Telegram ID), optional CLASH_API and CLASH_SECRET (API bearer token), OPENCLAW_BIN, and other parameters. These are proportional to the claimed functionality, but the omission from metadata is an incoherence and increases risk because users may not realize they need to supply secrets. The scripts also invoke the local openclaw CLI which may itself have credentials or permissions — users should verify what that CLI does and what privileges it holds.
Persistence & Privilege: okThe skill is not always:true and does not attempt to modify other skills or system-wide settings beyond copying files under the invoking user's home directory and recommending systemd/LaunchAgent usage. It uses /tmp for a lock file and writes logs to ~/.openclaw/logs. It will, when executed, restart services (via openclaw CLI) and control a local Clash API if configured — those are expected side effects for a watchdog but are privileged operational actions that require user consent.