Skillv1.0.0

ClawScan security

OpenClaw Claude Code 百炼配置 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 5:19 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's documentation coherently describes using the Claude Code CLI, but it fails to declare required binaries/credentials and instructs risky remote-install and configuration actions — the pieces don't fully align.
Guidance: What to consider before installing/use: - Metadata is missing: the skill uses the 'claude' CLI and Anthropic-style tokens but does not declare required binaries or env vars. Assume you'll need to provide an Anthropic API key and the 'claude' binary. - Do NOT run remote PowerShell scripts you don't fully trust (the README suggests 'irm https://claude.ai/install.ps1 | iex'). Prefer verified installers (winget) or manual installation after inspecting the script. - The skill instructs creating commits/PRs and adding MCP servers (which may require GitHub or other service tokens). Only provide those credentials if you trust the source and scope. - The instructions modify %USERPROFILE%\.claude and .claude/agents; review those files after changes. - Avoid using flags like --dangerously-skip-permissions and prefer --permission-mode plan when doing security-sensitive audits. - If you want to proceed: (1) verify the claude installer URL and prefer official releases/winget, (2) run installs in a controlled environment first (VM/container), (3) only provide service tokens with least privilege, and (4) request the skill author to update registry metadata to declare required binaries and env vars so the skill's intent and privileges are explicit.

Review Dimensions

Purpose & Capability: concernThe skill's name and description say it calls the Claude Code CLI, but the registry metadata declares no required binaries or env vars. SKILL.md repeatedly expects the 'claude' binary, Anthropic credentials (ANTHROPIC_AUTH_TOKEN / ANTHROPIC_BASE_URL), Git and GitHub interactions, and ability to modify a %USERPROFILE%\.claude settings file. Those capabilities should have been declared; their absence is an incoherence.
Instruction Scope: concernRuntime instructions tell the agent to run installers, call 'claude' in PTY mode, read git diffs and project files, create commits/PRs, add MCP servers (which may include providing environment variables), and modify local config (.claude/agents, settings.json). Many of these actions access user files and credentials (or would require them) but the skill metadata does not declare that scope or those needs.
Install Mechanism: concernThere is no formal install spec in the registry, but the SKILL.md recommends executing remote installers (e.g., 'irm https://claude.ai/install.ps1 | iex') and running npx commands for MCP servers. Piping remote PowerShell into iex is high risk (arbitrary remote code execution). These recommended install steps are unsafe unless the user verifies the source and integrity.
Credentials: concernThe document references and shows examples using ANTHROPIC_AUTH_TOKEN, ANTHROPIC_BASE_URL, and passing env VAR=value to MCP servers, but the skill declares no required env vars or primary credential. It also instructs operations that commonly require GitHub tokens (creating PRs) without declaring that need. Requesting or handling such credentials is proportionate to the tool's purpose, but the omission in metadata is a red flag and could lead to surprising credential access.
Persistence & Privilege: notealways:false (good). However, the instructions expect the skill/agent to write or modify user configuration under %USERPROFILE%\.claude and to add MCP servers and agents (persistent config). This is legitimate for a CLI integration but should be explicit in metadata because it modifies user state and can store tokens or endpoints.