Skillv1.0.0

ClawScan security

Claw-Value-Judge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 2:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions generally match its stated purpose (collect OpenClaw usage data and produce a playful evaluation), but it automatically reads local OpenClaw logs/config and runs a web server that can expose that data and call external APIs — combined with a pre-scan prompt-injection signal, this warrants caution and a manual code review before use.
Guidance: Before installing or running this skill: 1) Review scripts/server.py, lib/image_generator.py and any network-calling code to see what external endpoints are contacted and which data is sent. 2) Expect the collector to read ~/.openclaw, openclaw.json, workspace/skills and /tmp/openclaw logs — these may contain API keys, webhook URLs or other secrets; if you have sensitive data there, do not run the service without isolating the environment. 3) Do not start the server with --host 0.0.0.0 on an untrusted host or without a firewall; prefer localhost binding for local testing. 4) Unless you inspect and trust the image-generation endpoint, avoid setting DASHSCOPE_API_KEY or other API keys. 5) Because the pre-scan found a base64-block prompt-injection pattern, manually inspect SKILL.md and code for any embedded/obfuscated content or commands before use. 6) If unsure, run the skill inside a sandbox/container and audit the network traffic and created DB (~/.openclaw/workspace/data/clawvalue.db) to confirm no sensitive information is exfiltrated.
Findings: [base64-block] unexpected: Static pre-scan flagged base64-block patterns inside SKILL.md (prompt-injection style indicator). That pattern is not expected for a benign analytics README and could indicate embedded/obfuscated payload or attempts to manipulate automated evaluators; you should inspect SKILL.md and any large embedded strings for hidden content before trusting the skill.

Review Dimensions

Purpose & Capability: okName/description align with the implementation: the package contains collectors, parsers, an evaluation engine, a Flask server and UI assets to aggregate OpenClaw usage and produce reports. The included modules (collector, parser, evaluation, DB model, image generator) are what you'd expect for an analytics/evaluation tool.
Instruction Scope: concernSKILL.md instructs the user to run scripts/server.py which (per the code base) will '自动采集 OpenClaw 数据' by scanning ~/.openclaw, openclaw.json, workspace/skills and /tmp/openclaw logs. That is within the declared purpose but is broad: the collector reads user log files, skill directories and config files. The README also suggests calling '大模型 API' for generating '锐评' without specifying required model endpoints or credentials (vague guidance which could lead to data being sent to external services). The server can be bound to 0.0.0.0 (explicitly advised), which increases risk of exposing collected data publicly.
Install Mechanism: okThis is instruction-only; installation is via pip install -r requirements.txt (flask, requests). No remote binary downloads or obscure install URLs are used. Code is included in the bundle so nothing hidden is downloaded at install time.
Credentials: concernThe skill requests no required environment variables but uses optional DASHSCOPE_API_KEY for image generation. More importantly, the collector reads local OpenClaw configuration, workspace skills, and /tmp/openclaw logs — these files may contain tokens, webhook URLs or other secrets. The SKILL.md does not enumerate or warn about all sensitive fields that may be collected. CLAWVALUE_DATA_DIR and default DB paths are used to store data in the user home directory.
Persistence & Privilege: concernThe skill creates and stores a local SQLite DB (default under ~/.openclaw/workspace/data/clawvalue.db or path via CLAWVALUE_DATA_DIR). While 'always' is false, the server can be started to listen on all interfaces (0.0.0.0) which would expose the API/HTML UI and any collected data to the network. Combined with optional external API calls for image generation, this increases the blast radius if misconfigured.