Skillv0.1.0

ClawScan security

Openclaw Guardian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 2, 2026, 3:21 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The instructions claim to provide a guardian script and reference supporting files, but this package contains only prose and no script or reference files — the guidance also includes destructive operations (git reset --hard) and an optional webhook for external alerts, so you should not run these steps blindly.
Guidance: Do not run the commands in this SKILL.md as-is. The skill claims a guardian script (scripts/guardian.sh) and references/setup docs that are not included — ask the publisher for the actual guardian.sh and references/setup.md and review their full contents before executing. In particular: back up ~/.openclaw/workspace first (git reset --hard can irreversibly discard work), inspect any script for network calls or webhook transmissions before exporting DISCORD_WEBHOOK_URL, and prefer to run the script in a test environment or container. If the maintainer cannot provide the missing files or a trustworthy source (a public repo or release), consider the skill untrusted.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes copying a concrete script (scripts/guardian.sh) and references files (references/setup.md) that would be required for the skill to function, but the skill bundle contains no code files at all. Asking the user to 'copy from this skill' is inconsistent when no files are provided. The claimed capabilities (automated restart, git rollback, daily snapshots, Discord alerts) would legitimately require a delivered script or tooling; that artifact is missing.
Instruction Scope: concernThe instructions tell the operator to run commands that read/modify their ~/.openclaw/workspace, initialize git, perform git reset --hard (rollback), pkill, and modify start scripts to auto-launch the guardian. Those actions are powerful and potentially destructive (git reset --hard will discard uncommitted/local changes). The SKILL.md also references optional DISCORD_WEBHOOK_URL for external alerting; because the actual implementation is absent, it's unclear what data would be sent externally. The instructions grant broad discretionary actions (rollback logic, auto-backups) without providing the code that would implement safeguards.
Install Mechanism: noteNo install spec is provided (instruction-only), which minimizes direct installer risk but increases risk here because the SKILL.md promises files to copy that are not bundled. An expectation that the skill will supply scripts is inconsistent with the lack of any install or code artifacts.
Credentials: concernThe registry metadata declares no required env vars, yet the runtime instructions reference DISCORD_WEBHOOK_URL and expect edits to a user's start scripts and workspace location (~/.openclaw/...). The skill does not declare or justify access to these paths or to any external webhook credential; that mismatch reduces transparency and could lead operators to export a webhook without knowing what will be transmitted.
Persistence & Privilege: noteThe skill does not request always:true and does not itself modify agent/system config. However the guidance instructs the user to add the guardian to their auto-start scripts or systemd and to alter ~/.openclaw/start-gateway.sh, which grants the guardian persistent presence on the host if the user follows instructions. That persistence is user-controlled (manual edits) but the skill's lack of bundled code means users would be attempting to source a script from an unknown location.