Skillv1.1.0

ClawScan security

OpenClaw Docs Search + Config Patterns · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 12, 2026, 4:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with its stated purpose: an offline OpenClaw docs search and reference helper that reads local docs and builds a local SQLite index — it does not request credentials or make network calls.
Guidance: This skill appears to do what it claims: offline indexing/search of OpenClaw docs and bundled reference files. Before installing or running the scripts: 1) Inspect the scripts (they run locally and read files under your home directory and system docs path). 2) Be prepared to run npm install (better-sqlite3 is a native module and may require build tools). 3) The skill will create a local SQLite index at ~/.openclaw/docs-index/openclaw-docs.sqlite — ensure you are comfortable with it writing there. 4) No credentials or network access are requested, but if you plan to add the skill as a trigger in openclaw.json or follow its post-install suggestions, review those changes before applying. 5) Note a minor incongruence: the registry shows no automated install spec even though SKILL.md/package.json expect an npm install — remember to run the install steps manually or via your normal package workflow.

Review Dimensions

Purpose & Capability: okThe name/description (OpenClaw docs search + config patterns) match the code and instructions: Node scripts and libs build/query a local FTS5 SQLite index of OpenClaw docs and ship embedded reference files. Required binary is 'node', and the only dependency is better-sqlite3 (an SQLite binding) — all proportional to a local docs search tool.
Instruction Scope: okSKILL.md restricts runtime actions to local tasks: reading AGENTS.md, running scripts (docs-search.js, docs-index.js, docs-status.js), and reading local doc files (e.g., /usr/lib/node_modules/openclaw/docs/ and files under ~/.openclaw). It explicitly claims 'No network calls - fully offline.' There are no instructions to read unrelated secrets or to transmit data externally.
Install Mechanism: noteRegistry had no formal install spec, but SKILL.md and package.json instruct installing the native npm dependency better-sqlite3 and running a local index rebuild. Using better-sqlite3 is expected for a local SQLite index but requires native build tools on some systems. The installation approach is local (npm) and does not download arbitrary archives or call remote URLs beyond the repo URL in metadata.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths beyond local locations (HOME-based index and system docs path). Access to ~/.openclaw and /usr/lib/node_modules/openclaw/docs/ is necessary for its function and is proportionate to the stated purpose.
Persistence & Privilege: okSkill flags are default (always:false, user-invocable, model invocation allowed). It does not request permanent/always-on presence and does not modify other skills or system-wide agent settings by itself. It recommends optional triggers and adding workflow text to AGENTS.md, which are benign and user-controlled.