Skillv0.5.1-openclaw.1

ClawScan security

Visual Explainer for OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 6:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely consistent with a visual HTML generator, but its runtime instructions include editing repository files in-place and an optional 'share' workflow that uploads pages to an external host (Vercel) — both warrant review before use.
Guidance: This skill appears to be what it says — a local HTML diagram/review generator — but it includes two behaviors you should explicitly accept before installing: - In-place edits: Several prompts (fact-check, plan/diff reviews) instruct the agent to modify project files directly. If you don't want automated edits, run the skill in a read-only clone or ask it to produce suggested edits instead of applying them. - Sharing to Vercel: The 'share' workflow and changelog claim zero-friction Vercel deployments. Inspect scripts/share.sh (and any 'vercel-deploy' helper) before running to confirm where content is uploaded and whether credentials or external accounts are used. Treat the share workflow as an explicit action that may publish potentially sensitive content. Other practical checks: - Review scripts/share.sh and any small helper scripts for network calls or third-party endpoints before using the share command. - If you plan to let the agent run git commands and read your repository, run the skill in a disposable clone or sandbox until you’re comfortable. - If you don't want external image generation, ensure the environment lacks the optional 'surf' CLI or confirm the CLI's invocation is what you expect. If you want, I can (1) summarize exactly where the prompts ask to write files or make network requests, (2) show the content of scripts/share.sh for inspection, or (3) suggest safer invocation patterns (e.g., produce diff patches instead of writing files, or require explicit confirmation before share deployments).

Review Dimensions

Purpose & Capability: noteThe name/description match the files and prompts: the skill generates self-contained HTML diagrams, slide decks, and visual reviews. Asking the agent to read source files, run git commands, and produce HTML files is coherent with the advertised purpose. One notable capability that goes beyond mere rendering: several prompts (fact-check, diff-review, plan-review) explicitly instruct the agent to edit project files in place and to write corrections back to the repository. That behavior is powerful but explainable for a fact-check/diff-review skill — surface it to the user.
Instruction Scope: concernThe SKILL.md and prompt templates instruct the agent to run git commands, read many local files (project source, docs, agent memory under ~/.openclaw/workspace/memory/...), and in some workflows to make direct edits to original files (fact-check.md: 'Correct in place' / 'Write corrections to the original file'). They also include a 'share' workflow that deploys generated pages to Vercel (external hosting). Reading and editing local repo files is consistent with code-review tasks, but automatic in-place edits and third-party uploads are significant side-effects that should be disclosed to users and gated.
Install Mechanism: okThis is instruction- and file-backed; there is no install spec that downloads or executes remote archives. The README and SKILL.md suggest optional git clone steps and refer to the original GitHub repo; those are normal for manual install. No high-risk download URLs or archive extraction are present in the manifest.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent with its core functionality. However, optional behaviors reference external tools/services (the surf CLI for image generation and a 'vercel-deploy' helper script). The changelog and prompts mention a zero-auth Vercel deploy behavior (''no account or authentication required'') — if true, that implies uploading user content to a third-party account and is not declared in requires.env, which is a proportionality concern and should be validated.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable; it writes files to a local workspace path (~/.openclaw/workspace/diagrams/) which is consistent with generating HTML artifacts. The bigger persistence concern is the skill's instruction to edit repository files in place (fact-check), and the optional share script that would make artifacts externally accessible. Neither of these are 'always' privileges, but they are capabilityful and should be authorized by the user.