Secucheck

People or devices on the same network might be able to view security findings, host details, or configuration weaknesses if the dashboard is reachable without controls.

The skill instructs the agent to serve the audit report and prefer a LAN-accessible URL, but the visible artifacts do not specify authentication, expiration, or bind restrictions.

The audit may access sensitive OpenClaw authentication or configuration data; if mishandled or included in the LAN dashboard, that information could aid account or gateway compromise.

Checking token entropy implies reading authentication configuration or token values. That is purpose-aligned for a security audit, but the artifacts do not clearly declare exact files read, redaction rules, or report boundaries.

The skill can execute local audit commands and inspect system state when invoked.

The skill runs local shell scripts as the core audit mechanism. This is expected for runtime/security inspection, but users should understand it is not merely static text.

It is harder to verify that the installed files match the published release or a trusted upstream source.

The registry metadata lists version 2.8.0 while the packaged _meta.json lists 2.7.0, and the source/homepage are unknown. This is a provenance and traceability gap for a script-running skill.

If an agent incorrectly treats scenario text as instructions, it could be confused during report generation.

This prompt-injection text appears in a scenario file for a security-audit skill, so it is likely example attack content; it still needs to be treated as quoted data, not executable instruction.