OpenClaw Safety Guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s intended URL/file safety-checking workflow is mostly coherent, but its embedded package identity does not match the listing, so users should review provenance before installing.
Review the mismatched metadata and verify the Homebrew tap/homepage before installing. If you proceed, use limited API keys and only run it on files or URLs you are comfortable sending to the configured providers.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install a skill whose packaged identity does not match the public listing, making it harder to know who published or controls it.
The embedded metadata identifies a different owner and slug than the supplied registry listing for safety-guard, which creates package identity and provenance ambiguity.
"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "slug": "summarize"
Verify the registry listing, homepage, and Homebrew tap before installing; the publisher should republish with matching metadata.
The CLI can use the user’s provider accounts and may incur usage or billing under those accounts.
The skill expects provider and service credentials for its documented workflow, but those credentials are not declared in the registry requirements.
Set the API key for your chosen provider: - OpenAI: `OPENAI_API_KEY` - Anthropic: `ANTHROPIC_API_KEY` ... Optional services: - `FIRECRAWL_API_KEY` ... - `APIFY_API_TOKEN`
Use dedicated, least-privilege API keys where possible and avoid exposing tokens for services you do not intend to use.
Private documents, media, URLs, or extracted content could be sent to external providers when the user chooses those inputs.
The skill processes user-selected files and URLs through a model/provider-based workflow; the artifacts name providers and fallbacks but do not detail data handling or retention.
Fast CLI to safety-guard URLs, local files, and YouTube links. ... Default model is `google/gemini-3-flash-preview` if none is set.
Review provider privacy terms and avoid submitting sensitive local files unless you trust the configured model and extraction services.