Skillv1.0.0

ClawScan security

OpenClaw Agent Control Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 5:52 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (deploying a web backend+frontend) matches the script, but metadata omits required tools and the script fetches and executes code from an external repo (npm install, running Python/Node servers) with unsafe defaults (/root), so the package is coherent but contains risky, under-described behavior you should review before running.
Guidance: This skill will clone a remote GitHub repo and run its code (npm install, build, and start a Python/Node server) on your machine by default in /root. Before installing: 1) Verify and trust the REPO_URL and ideally pin to a specific commit or release rather than main. 2) Inspect the repository (especially package.json scripts and any install hooks) and the Python app for unexpected network calls or credential usage. 3) Do not run as root—change PROJECT_DIR to a non-privileged directory or run inside an isolated container/VM. 4) Ensure required binaries (git, node/npm, python, uvicorn or equivalent) are installed and declared. 5) If you need lower risk, run the deploy script manually in a sandbox first and monitor outbound network activity. If the publisher or repository cannot be verified, avoid running this on production or sensitive hosts.

Review Dimensions

Purpose & Capability: concernSKILL.md and the script clearly implement a deploy/start workflow (git clone, start backend, build frontend). However the registry metadata declares no required binaries or envs even though the script requires git, python, node/npm (and likely pip/uvicorn), making the metadata incomplete and inconsistent. The default PROJECT_DIR is /root which is a privileged location and surprising for a generic deploy skill.
Instruction Scope: concernThe runtime script clones a remote repository (defaulting to a GitHub URL) and then runs commands from that repo: git checkout/pull, npm install, npm build/restart, and launches a Python web server bound to 0.0.0.0. That means arbitrary code from the network will be executed on the host (npm install can run install scripts). The instructions do not limit or pin the commit, nor do they recommend running in an isolated environment.
Install Mechanism: noteThere is no install spec (instruction-only), which normally is lower risk — but the provided script performs network fetches at runtime (git clone, npm install). Fetching and executing remote code is a high-risk runtime install behavior even if the skill package itself doesn't install components.
Credentials: noteThe registry lists no required env vars, but SKILL.md documents optional env vars (REPO_URL, PROJECT_DIR, MONITOR_PORT, PORT). No secrets are requested. However the default PROJECT_DIR=/root and logs paths under /root suggest the script expects root-level access; running as root increases impact of any malicious code pulled from the repo.
Persistence & Privilege: okalways is false and the skill does not request to be force-included or modify other skills. It does create files under the host (project dir, logs) and launches services, but it does not claim elevated platform privileges in the metadata.