Skillv1.14.15

ClawScan security

control-plane · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 22, 2026, 9:44 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions line up with a control‑plane bridge, but registry metadata omits the required sensitive environment variables and the package talks to an external SaaS endpoint of unknown provenance — this mismatch and external dependency warrant caution.
Guidance: This package appears to implement a legitimate OpenClaw<->Emperor control‑plane bridge, but there are important red flags you should address before installing: - Metadata mismatch: the registry says no required env vars, yet SKILL.md and example scripts require EMPEROR_CLAW_API_TOKEN (and related EMPROR_CLAW_* vars). Do not provide live credentials until you verify the publisher. - Unknown external endpoint: the control plane URL is https://emperorclaw.malecu.eu. Verify the service owner (company, Git repo, homepage) and review the running service's trustworthiness before handing it a workspace API token. - Least privilege: create a scoped API token with the minimal permissions needed for testing (read-only if possible), and rotate/delete it after testing. - Inspect files locally: the examples persist state under ~/.openclaw/... — review those files after a run to ensure no secrets are written. The code does not appear to write the API token to disk, but confirm in your environment. - Run in a sandbox first: test the bridge in an isolated environment or test workspace, monitor outbound connections, and review logs for unexpected transmissions. - Ask the publisher for provenance: request a canonical homepage/repository and signed releases. The package.json points to a GitHub repo and the domain above; confirm those are legitimate and controlled by your organization or a trusted vendor. If you cannot verify the service owner and provenance, treat the skill as untrusted and avoid supplying production API tokens or enabling it in agents that have access to sensitive data.

Review Dimensions

Purpose & Capability: noteThe name/description (control plane / durable checkpoints) match the included bridge examples and API reference: the code registers runtimes, claims tasks, heartbeats, checkpoints memory, and connects to the declared MCP endpoint. However the registry metadata claims no required env vars while SKILL.md and the examples require EMPEROR_CLAW_API_TOKEN and other EMPROR_CLAW_* variables — an internal inconsistency.
Instruction Scope: okSKILL.md and examples consistently instruct the agent to register, start sessions, call REST endpoints, open a WebSocket, persist a local bridge-state journal in a companion directory, and only write business artifacts to Emperor. The instructions reference local files (companion/state under the user's home) and outbound network calls to the remote API; these behaviors are coherent with the stated control-plane purpose.
Install Mechanism: okThere is no install spec; the skill is instruction-plus-examples only. The included example scripts are plain JS/Python that will run in the runtime. No remote installers or extracted archives are used — lower install risk compared to arbitrary downloads.
Credentials: concernThe runtime requires a workspace-scoped API token (EMPEROR_CLAW_API_TOKEN) and multiple EMPROR_CLAW_* env vars (companion/state paths, agent/runtime IDs) which are appropriate for a control-plane bridge. The concern is the metadata mismatch: the registry lists "Required env vars: none" while SKILL.md explicitly requires the API token. The external endpoint (https://emperorclaw.malecu.eu) is not verified in registry metadata (source/homepage appear unknown or missing), so giving a token to this skill grants networked control-plane privileges to an external service of uncertain provenance.
Persistence & Privilege: okThe skill persists local bridge state under user-owned directories (~/.openclaw/emperor-control-plane by default) and does not request always:true or global system changes. It does not modify other skills or system-wide settings in the provided files. Persisted state includes cursors, dedupe journals, and agent/session IDs (not obviously secrets), but these files should be inspected for sensitive data before trusting them.