Openclaw Code
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only coding workflow appears benign; it only has optional local preference memory and a minor package metadata mismatch to verify.
This skill is reasonable to install if you want structured coding workflow guidance. Confirm the package owner/version because of the metadata mismatch, review plans before approving project changes, and only allow it to save non-sensitive preferences in ~/code/memory.md.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may be harder to confirm that the package exactly matches the registry listing or intended maintainer.
The bundled metadata lists owner/version values that differ from the registry metadata supplied for review, which lists owner ID kn73gh0xkz1std8hdwdfxrde6x82x54x and version 1.0.0. Because the skill is instruction-only with no install script or executable code, this is a provenance note rather than evidence of harmful behavior.
"ownerId": "kn73vp5rarc3b14rc7wjcw8f8580t5d1", "version": "1.0.4"
Verify the skill version, owner, and homepage before installing, especially if you rely on the registry metadata for trust.
Preferences saved in ~/code/memory.md may affect later coding sessions, so inaccurate or overly broad preferences could steer future work.
The skill uses a persistent local memory file for user preferences. This is disclosed, scoped, and user-controlled, but saved preferences can influence future coding behavior.
Read `~/code/memory.md` for user's stated preferences if it exists.
Only save non-sensitive coding preferences, review ~/code/memory.md occasionally, and avoid storing secrets, credentials, or instructions that should not persist.