Skillv1.0.6

ClawScan security

Openclaw Autoupdate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 6:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior matches an autoupdate tool, but there are several inconsistencies and missing safeguards (undeclared required tools/privileges, unsigned downloads, version mismatches) that increase supply‑chain and privilege risks.
Guidance: This skill does perform exactly what an updater would: fetch a release from GitHub, install a DMG into /Applications, run a global npm install, and restart the OpenClaw gateway. That said, the package has quality issues and missing safeguards. Before installing or running it: 1) Inspect the script yourself and confirm the included SHA256 matches the shipped file. 2) Be aware the script will attempt to modify /Applications and run npm -g (may require sudo); do not run it as root without review. 3) Prefer updaters that verify release checksums or signatures — this script does not verify the downloaded DMG or npm package. 4) Confirm the GitHub release URL and the maintainer identity are legitimate; the SKILL.md/package.json/registry version mismatch is suspicious. 5) If you want lower risk, run the script manually rather than granting an agent autonomous invocation, or add integrity checks (curl the release checksum and validate) before permitting automated runs.

Review Dimensions

Purpose & Capability: noteName/description align with the actual script: it checks versions, downloads a DMG from GitHub, installs the app to /Applications, runs npm -g to update the CLI, and restarts the gateway. However the registry metadata declares no required binaries while the script clearly requires openclaw, curl, plutil, hdiutil, npm and filesystem access to /Applications—these are not declared. The mismatch suggests sloppy publishing and should have been declared.
Instruction Scope: concernSKILL.md instructs running the included script and claims only a few 'safe' commands are used, but the script performs network fetches, mounts and copies a DMG into /Applications, removes files, performs a global npm install, and restarts a system service. Those actions are consistent with an updater but go beyond simple local reads/writes and require elevated privileges; SKILL.md does not warn about required sudo/admin rights. Also SKILL.md/package.json/skill registry versions are inconsistent (SKILL.md says v1.0.2, package.json 1.0.3, registry 1.0.6), which is a red flag for maintenance quality.
Install Mechanism: concernNo installer (instruction-only) — low installer risk. But at runtime the script downloads a DMG from GitHub and runs npm install -g without any integrity or signature verification of the downloaded artifacts. Fetching executable installers at runtime without checksum/signature verification raises supply-chain risk.
Credentials: concernThe skill declares no env/credentials, which is appropriate, but it implicitly requires system-level privileges (writing to /Applications, global npm installs, restarting services). Those privileges are disproportionate to what the SKILL.md explicitly documents (it even downplays the scope). No environment variables are requested, but privileged filesystem and global package changes are required and not called out.
Persistence & Privilege: notealways:false (normal) and model invocation is allowed (normal). The script writes logs under ~/.openclaw/logs (expected) and does not attempt to modify other skills or agent config. The main concern is that an autonomously invoked updater with the ability to download and install binaries could modify system software if run without user oversight.