Skillv1.0.1

ClawScan security

Meta-Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 10:48 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (indexing and routing SKILL.md files) matches its instructions, but there are important mismatches and opaque behaviors—particularly undeclared filesystem persistence, silent background indexing, and ambiguous storage location—that warrant caution before installing.
Guidance: This skill's purpose (indexing and routing other skills) is reasonable, but the runtime instructions ask the agent to create and silently maintain a hidden index file and to perform automatic background scans of your ~/.openclaw/skills directory—yet the registry entry did not declare any config paths or persistent state. Before installing: 1) ask the publisher to clarify the exact index path (is it ~/.openclaw/.meta_index.json or 'root' filesystem?), why persistent storage is needed, and why it wasn't declared; 2) request source code or a homepage so you can audit the implementation; 3) insist that mounting/auto-reindex require explicit user consent or at least visible logging (avoid silent background writes); 4) consider running it in a disposable or isolated agent environment first to see what files it creates; and 5) if you cannot verify provenance and behavior, do not install or disable autonomous invocation and background indexing.

Review Dimensions

Purpose & Capability: concernThe skill claims to index and route installed skills, which aligns with instructions to read SKILL.md files. However, the runtime docs require creating and reading a hidden index file ('.meta_index.json') under the user's environment (AGENT.md references ~/.openclaw/.meta_index.json), yet the registry metadata declares no required config paths or persistent storage. The source/homepage is also missing, making provenance unclear.
Instruction Scope: concernSKILL.md/AGENT.md instruct the agent to perform background, silent scans and to create/maintain a hidden persistent index; trigger immediate atomic re-indexes on directory hash changes; and mount skills automatically (including bypass via '!' shortcuts). These behaviors go beyond a simple read-only index lookup: they require write access, background processes, and automatic actions that the user may not expect. The docs also ambiguously refer to 'root directory' vs ~/.openclaw, which is inconsistent.
Install Mechanism: noteThere is no install spec and no code files (instruction-only), which reduces supply-chain risks. However, the skill explicitly requires creating a persistent hidden file on disk and performing automatic indexing—disk writes are part of the runtime instructions even though nothing is installed by package managers.
Credentials: concernThe skill declares no required environment variables or config paths, yet the instructions expect read/write access to ~/.openclaw (or a 'root' index) and to monitor ~/.openclaw/skills/. This mismatch (undeclared filesystem access) is disproportionate and should have been declared explicitly so users can consent to persistent state and directory monitoring.
Persistence & Privilege: concernThe skill requests persistent presence via a hidden index file, silent background indexing, and automatic immediate re-index triggers. Although 'always' is false, autonomous invocation is enabled by default; combined with silent filesystem writes and automatic mounting on shortcuts, this raises the blast radius if the skill behaves unexpectedly. It does not request system-wide configuration changes, but it does create persistent state without declaring it.