Skillv1.0.2

ClawScan security

Openclaw Skill Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 16, 2026, 3:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (generate and scan SKILL.md files) matches its declared requirements, but its runtime instructions mandate always sending full skill content to an external API (which can include secrets), creating a data-exfiltration/billing/telemetry risk that users should understand before installing.
Guidance: This tool appears to do what it says, but it requires you to send the full SKILL.md (and possibly full source files) to a third-party API and to always use that API for analysis. Before installing: (1) do not upload SKILL.md files that include real credentials, secrets, or sensitive configuration—remove or redact them; (2) verify portal.toolweb.in's reputation and privacy/billing terms; (3) prefer a disposable or limited-scope TOOLWEB_API_KEY if you must use the service; (4) consider running a local, manual review for high-sensitivity skills instead of relying solely on this remote scanner; (5) test with non-sensitive examples first to confirm behavior. If you need a fully offline scanner or require assurance that code never leaves your environment, this skill is not appropriate.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only generator/scanner that calls a remote service. Requiring curl and a TOOLWEB_API_KEY to reach portal.toolweb.in is coherent with the described purpose (proprietary remote analysis). No unrelated clouds or credentials are requested.
Instruction Scope: concernSKILL.md explicitly orders the agent to ALWAYS call the remote ToolWeb API and never produce an assessment locally. The scan workflow requires submitting the full SKILL.md (and README notes suggest submitting 'full source of all included files'). Those artifacts may contain sensitive data (embedded credentials, example tokens, or file paths). Forcing all scans to go off-instance increases risk of unintended secret disclosure and telemetry of user content.
Install Mechanism: okThere is no install spec and no code to download; the skill is instruction-only and relies on curl being present. This is the lowest-risk install model (nothing is written to disk by an installer).
Credentials: noteOnly one env var is required (TOOLWEB_API_KEY), which matches the declared primary credential and the described API usage. However, because the skill sends entire SKILL.md files and possibly 'full source', those uploads may contain other sensitive env names/values or secrets — the single credential request is proportional, but the data-sending behavior raises disclosure risk.
Persistence & Privilege: okalways is false and the skill does not request elevated platform privileges or to modify other skills. It may be invoked autonomously (default), which is normal; that combined with remote upload behavior increases blast radius but is not a misconfiguration by itself.