Skillv0.1.1

ClawScan security

Openclaw Iterm2 Statusbar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code mostly matches its stated purpose (displaying OpenClaw session info in iTerm2) but it reads undeclared local secrets/config files and the SKILL.md suggests piping a remote installer to bash — these inconsistencies and install behaviors warrant caution.
Guidance: What to consider before installing: - The code appears to do what it claims: poll a local OpenClaw Gateway and display cost/context in iTerm2. However the package metadata omitted that it needs an OPENCLAW_GATEWAY_TOKEN and reads ~/.openclaw/openclaw.json and ~/Library/LaunchAgents/ai.openclaw.gateway.plist. Treat that omission as a red flag: verify and understand where your token is stored before installing. - Avoid running the curl | bash one-liner without inspection. Instead download the repo or openclaw_status.py and inspect it locally before copying it into ~/Library/Application Support/iTerm2/Scripts/AutoLaunch. - Inspect ~/Library/LaunchAgents/ai.openclaw.gateway.plist (if present) to confirm it does not contain unrelated secrets you don't want scripts to read. Consider setting OPENCLAW_GATEWAY_TOKEN in your shell profile if you prefer explicitness. - Review ~/.openclaw/openclaw.json contents to ensure you are comfortable with the script reading it (it only reads compaction.reserveTokensFloor but user files can contain other data). - Confirm the OpenClaw Gateway is actually running on localhost:18789 and you trust its origin; the script only talks to that local endpoint (no external exfiltration observed), but a compromised local gateway could leak data. - If you decide to proceed, prefer manual installation (download, inspect, then copy) and keep backups of any tokens; if unsure, do not run the remote installer. If you discover unexpected behavior, remove the script from the AutoLaunch folder and revoke or rotate the gateway token.

Review Dimensions

Purpose & Capability: concernThe script's behavior (poll a local OpenClaw Gateway, read a gateway token, and read ~/.openclaw/openclaw.json) matches the stated purpose of showing session cost and context. However the skill metadata declares no required env vars or config paths while the code explicitly depends on an OPENCLAW_GATEWAY_TOKEN and a local config file, which is an incoherence that should have been declared.
Instruction Scope: noteSKILL.md instructs installing a Python iTerm2 script into the user's AutoLaunch directory and restarting iTerm2 — that is expected. The runtime instructions and code access local resources (127.0.0.1:18789), the environment variable OPENCLAW_GATEWAY_TOKEN, and ~/.openclaw/openclaw.json (to compute reserve tokens). Those file/env accesses are in-scope for the stated functionality but they are not declared in metadata.
Install Mechanism: noteThe installer uses curl -fsSL to fetch scripts from raw.githubusercontent.com (a well-known host) and offers a curl|bash one-liner. Downloading from a GitHub raw URL is common, but piping remote scripts to bash is inherently risky — users should review the script before running it. The included install.sh writes only to the user's iTerm2 AutoLaunch folder (no system-wide changes).
Credentials: concernMetadata reports no required environment variables or config paths, but the code reads OPENCLAW_GATEWAY_TOKEN (env or from ~/Library/LaunchAgents/ai.openclaw.gateway.plist) and ~/.openclaw/openclaw.json. Requesting a gateway token is reasonable for its function, but omitting this from the declared requirements is a mismatch and the plist-file lookup means the script will try to read a LaunchAgents plist (which may contain other environment data) — this should be documented and disclosed.
Persistence & Privilege: okThe skill installs a user-level iTerm2 script into the user's AutoLaunch folder and does not request always:true or attempt to change other skills or system-wide settings. It does read user-local config files and a LaunchAgents plist but does not create system services or grant elevated privileges.