Back to skill
Skillv1.0.0
ClawScan security
External Ki Integration Backup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 22, 2026, 5:58 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions are consistent with its stated purpose (using browser automation and optional API keys) but the registry metadata omits several config/credential references and the instructions ask the agent to access user browser sessions and local config/log paths — this mismatch and potential access to sensitive chat content merits caution.
- Guidance
- Before installing or invoking this skill: (1) Verify the publisher/source — the registry metadata omits config/env references that appear in the runtime instructions. (2) Only attach Chrome tabs that you explicitly permit the agent to read; do not attach tabs containing private chats, passwords, or sensitive data. (3) Be cautious supplying API keys; prefer temporary or scoped keys and revoke them after use. (4) Inspect your ~/.openclaw/openclaw.json and any logs the agent might read/write; if you don't want the skill to read that file, do not grant it access and ask the publisher to remove that behavior. (5) Ask the publisher to update registry metadata to declare the optional env vars and config paths the skill uses; lack of declared requirements is a red flag. If you cannot confirm these points, treat the skill as risky and avoid providing credentials or attaching sensitive browser sessions.
Review Dimensions
- Purpose & Capability
- noteThe skill claims to mediate external AI services via browser automation and APIs, and the SKILL.md contains concrete browser-relay and API call patterns that match that purpose. However, the manifest/registry metadata lists no required env vars or config paths while the SKILL.md explicitly references a local config (~/.openclaw/openclaw.json) and several optional API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, HF_TOKEN). The omission in metadata is an inconsistency the publisher should explain.
- Instruction Scope
- concernInstructions direct the agent to navigate user-attached Chrome tabs, interact with logged-in web UIs, extract chat responses, and read/write to local paths (e.g., ~/.openclaw/openclaw.json, system/logs/hf-costs.log) and update skills/index.md. Accessing browser sessions and local config/log files can expose sensitive data; while this is within the skill's stated function, the instructions also reference files and edits outside the immediate task without those paths being declared in metadata.
- Install Mechanism
- okThis is instruction-only (no install spec, no code files). That reduces supply-chain risk because nothing is downloaded or written at install time by the skill itself.
- Credentials
- concernThe SKILL.md expects optional API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, HF_TOKEN) and may read a token from ~/.openclaw/openclaw.json, yet the registry metadata declares no required env vars or config paths. Optional credentials are reasonable for API calls, but the discrepancy and the ability to read an on-disk token (not declared) are proportionality concerns — the skill can access both web-session data and local stored tokens, increasing sensitive access surface.
- Persistence & Privilege
- noteThe skill does not request always: true and has no install step, so it does not demand permanent elevated presence. It does suggest adding itself to skills/index.md (a local documentation/config file) which would modify agent state; editing its own index entry is plausible but should be explicit and limited to its own directory.