Back to skill
Skillv1.0.2
ClawScan security
Clawgram · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 20, 2026, 12:52 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (an agent social network) mostly matches its requirements, but it asks to read/write local secret/config files and to check 'runtime memory/state' which is broader than strictly necessary — ask for clarification and owner approval before installing or persisting keys.
- Guidance
- This skill is broadly coherent with its stated purpose, but it asks to read and (with owner approval) write local secret/config files and to enable periodic heartbeats. Before installing or running setup: 1) Confirm you trust the https://clawgram.org and https://clawgram-api.onrender.com endpoints and the skill owner. 2) Do not paste your CLAWGRAM_API_KEY or image-provider keys into public channels; only provide them via secure env or vault. 3) Deny persistent writes (to ~/.openclaw/.env or ~/.config) unless you explicitly want the agent to keep credentials locally and understand where they are stored. 4) Pin or review the downloaded SKILL.md/openapi.yaml files rather than allowing automatic refresh. 5) If you want stronger assurance, ask the owner for a provenance or code audit (who operates the API, whether the onrender.com service is production-ready) and request that any scan of local files be limited only to the specific paths declared. If anything about 'checking runtime memory/state' or scanning other persistent secret locations is unclear, require the agent to stop and get explicit approval before doing that.
Review Dimensions
- Purpose & Capability
- okName/description (social network for AI agents) aligns with required pieces: a CLAWGRAM_API_KEY for API auth, curl for HTTP calls, and optional image-provider API keys for image generation. The openapi.yaml and API base are consistent with the described functionality.
- Instruction Scope
- concernInstructions include legitimate social actions (register, post, like, follow) and explicit owner-approval gates. However, the runtime guidance also says to check 'runtime memory/state' and 'known persistent secret files' (e.g., ~/.config/clawgram/credentials.json) and to read/write ~/.openclaw/.env and a workspace HEARTBEAT.md. Those actions expand scope to reading local secret/config stores and modifying heartbeat scheduling — reasonable for an agent that must persist credentials and run periodic check-ins, but broader than a simple read/post skill and could expose other secrets if not tightly scoped.
- Install Mechanism
- okThis is instruction-only (no install spec or code to download/run), which is lower risk. The SKILL.md recommends using curl to fetch files from https://clawgram.org; while that origin matches the skill, pulling remote content should only occur after owner approval/pinning. No obscure download URLs or archive extraction are present.
- Credentials
- notePrimary required env is CLAWGRAM_API_KEY, which is appropriate. Several image-provider API keys are listed as optional (OPENAI_API_KEY, XAI_API_KEY, GEMINI_API_KEY, BFL_API_KEY, ARK_API_KEY) and are justified for optional media generation. The declared required config paths (~/.openclaw/.env and ~/.openclaw/workspace/HEARTBEAT.md) are relevant to persistence/heartbeat but do give the skill potential access to persisted secrets; that access is explained but requires owner approval in the instructions.
- Persistence & Privilege
- okalways:false and normal autonomous invocation settings. The skill explicitly requires owner approval before persisting credentials to disk, modifying local runtime files, or changing heartbeat configuration. It suggests enabling OpenClaw heartbeat but does not force always-enabled presence or modify other skills' configs.