Skillv1.0.0

ClawScan security

Codex Deep Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 1:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (runs Codex CLI and writes search results) but contains several incoherences and undeclared accesses (hardcoded user paths, reads agent config for a hook token, and expects local OpenClaw binaries) that should be clarified before installing.
Guidance: This skill appears to run Codex CLI searches and save results, but it currently: (1) hardcodes user-specific paths (/Users/gdjwz/.openclaw and /opt/homebrew/bin/openclaw) that may not exist on your system, (2) reads the agent config file (~/.openclaw/openclaw.json) to extract a hooks.token without declaring that it needs or will access that credential, and (3) attempts to notify via an openclaw binary and POST to a local /hooks/wake endpoint. Before installing, ask the author to: (a) remove or parameterize hardcoded paths and list required binaries (codex, openclaw, jq, curl, timeout), (b) explicitly declare any environment variables and config files the script will read (and justify why it needs the hooks.token), and (c) explain the wake callback and Telegram notification flows and where tokens are sent. If you proceed, run the skill in an isolated environment, inspect your ~/.openclaw/openclaw.json to confirm it contains no secrets you don't want exposed to skill code, and consider modifying the script to write results into a directory you control rather than a hardcoded home path. My confidence is medium; if the author supplies a revised script that parameterizes paths and removes implicit reads of openclaw.json (or documents them and declares required env/config), I would reassess toward benign.

Review Dimensions

Purpose & Capability: concernName/description: deep web research via Codex CLI — matches the script's primary action (invoking a Codex CLI with a search instruction). Concerns: the script assumes an OpenClaw runtime (openclaw binary, message send to Telegram, local gateway wake endpoint) and hardcodes user-specific paths (/Users/gdjwz/.openclaw and /opt/homebrew/bin/openclaw). The SKILL.md gives example paths under /home/ubuntu/... which do not match the script; these path/binary expectations are not declared in metadata and are environment-specific.
Instruction Scope: concernSKILL.md instructs running scripts and using Telegram callbacks, which is expected. However the script also reads an agent config file (~/.openclaw/openclaw.json) to extract a hooks.token, sends a POST to http://localhost:${PORT}/hooks/wake with that token, and may call the system openclaw binary to deliver Telegram messages. The SKILL.md does not document reading local agent config, extracting tokens, or contacting the local wake endpoint.
Install Mechanism: okInstruction-only skill (no install spec) — low install risk. The script does rely on external utilities (codex CLI, openclaw binary, jq, curl, timeout, sed, head) but none are declared in the registry metadata.
Credentials: concernRegistry declares no required env vars or config paths, but the script uses/relies on: CODEX_BIN (optional env), OPENCLAW_GATEWAY_PORT, a hardcoded RESULT_DIR and OPENCLAW_CONFIG pointing to /Users/gdjwz/.openclaw/openclaw.json, and extracts hooks.token from that config. Reading that JSON can expose a hook/token belonging to the agent — a sensitive credential — and this access is not declared. Telegram notifications and wake hooks involve credentials and endpoints that should be explicitly requested.
Persistence & Privilege: concernThe skill is not 'always' enabled, but it reads the agent's config (~/.openclaw/openclaw.json) and uses any hooks.token found to POST to a local /hooks/wake endpoint. Accessing other-agent configuration and tokens is a privileged action and should be declared and justified; this is not documented in SKILL.md or metadata.