Back to skill
Skillv0.1.0
ClawScan security
project-factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 3:35 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions mostly match a project bootstrapper, but it writes and updates global OpenClaw config and agent files (under ~/.openclaw and shared routing), and the registry metadata does not declare the tokens/credentials it expects — this combination is high-impact and deserves caution.
- Guidance
- This skill is largely what it claims (a project bootstrapper) but it will modify global OpenClaw configs and create/register agent entries under your home directory. Before installing or running it: 1) Review the scripts locally (especially bootstrap_project.py, upgrade_project.py) to confirm you want writes to config/project_routing.json and ~/.openclaw/openclaw.json. 2) Run in dry-run/validate mode first (scripts provide --dry-run / --validate-only) to preview changes. 3) Do not provide bot tokens or chat IDs to the skill until you confirm the target is correct; prefer entering them interactively rather than storing them centrally. 4) If you share an OpenClaw instance, be cautious: the bootstrap may update shared routing and topic ownership — verify with maintainers first. 5) If you do not want persistent global changes, run the scripts in an isolated workspace or container and avoid applying the steps that update ~/.openclaw or the global project_routing.json. 6) Consider disabling autonomous invocation for this skill (or require explicit confirmation) so it cannot run the bootstrap flow unprompted.
Review Dimensions
- Purpose & Capability
- noteName/description (bootstrapping an automation project) align with the included scripts (bootstrap_project.py, upgrade_project.py, etc.) which generate project scaffolds, routing entries, and run/monitor scripts. However, the skill performs global changes (writes to config/project_routing.json and ~/.openclaw/openclaw.json, registers assistant entries and may copy agent runtime files) which are high-impact operations. Those actions are coherent with a bootstrapper but are more privileged than a simple local scaffold generator — the user should expect global routing and agent registration changes.
- Instruction Scope
- concernSKILL.md describes a four-phase interactive workflow and recommends human confirmations, but it also says the skill 'Triggers whenever' certain phrases appear and suggests automatic model escalation. The included scripts read and write multiple system/global paths (workspace projects/, config/project_routing.json, ~/.openclaw/*) and will update routing/agent registrations if run. The instructions rely on interactive collection of bot token/chat id but the skill’s metadata does not declare those as required env vars. The LLM-facing instructions also assert Phase 0 is 'internal reasoning' (no external calls), but actual runtime can (via generated scaffold/scripts) interact with system files and the OpenClaw cron API — so the instruction surface is broader than a pure diagramming helper.
- Install Mechanism
- noteNo install spec (instruction-only + included Python scripts) — no external downloads. That's lower risk than remote installs. But the package includes multiple executable scripts that will be written into projects/ and will modify user configs when executed. There is no external URL or archive; risk comes from local file writes and config mutations rather than supply-chain downloads.
- Credentials
- concernRegistry metadata lists no required env vars, but README and scripts clearly expect Telegram BOT_TOKEN and CHAT_ID (passed as CLI args or filled during interactive flow). Scripts also read and write ~/.openclaw openclaw.json and agent files (auth-profiles.json, models.json) and may copy those into new assistant directories, which could duplicate sensitive runtime/auth data. Requesting no declared credentials while the tool will prompt for or write tokens is an inconsistency and increases risk.
- Persistence & Privilege
- concernalways:false (good), but the skill includes code that modifies system-wide OpenClaw state: writing config/project_routing.json and ~/.openclaw/openclaw.json, creating agent dirs, and registering a new assistant. Those are persistent and platform-wide changes. Because the platform allows autonomous invocation by default, if the agent runs the bootstrap scripts without careful gating, the skill could silently alter routing or register agents — this raises the blast radius even though autonomous invocation alone isn't inherently bad.