Skillv0.1.6

ClawScan security

Openclaw Skill Ansible · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 9:47 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions broadly match its MeshOps purpose, but there are inconsistencies and several powerful, potentially risky operations (deploying archives, running commands, automatic capability registration/auto-claiming) gated by environment variables — the gating and registry metadata are inconsistent and need review before install.
Guidance: This skill is purpose-aligned for a MeshOps control plane, but review these before installing: - Resolve the manifest mismatch: the registry summary says "no required env vars/bins" but metadata.yaml inside the package lists several gates and binaries. Confirm the marketplace metadata matches the packaged metadata. - Treat the gating env vars (OPENCLAW_ALLOW_HIGH_RISK, OPENCLAW_ALLOW_RUN_CMD, OPENCLAW_ALLOW_DEPLOY_SKILL) as safety interlocks — ensure they default to disabled (0) and are only enabled deliberately for vetted tasks. - Confirm OPENCLAW_ALLOWED_CALLERS is set to a small trusted allowlist. If mis-set, remote callers could trigger deploy/run operations. - Audit the deploy-skill workflow: it downloads HTTPS artifacts and extracts them to /opt/openclaw/skills. Although it requires a sha256 and https, validate the artifact sources and verify the SHA before enabling deployment in production. - Review automatic behavior in SKILL.md: the design requires skills to auto-register capabilities and for executors to auto-claim tasks at reasoning start. If you do not want agents to autonomously claim/execute mesh tasks, do not load this skill into agents that must remain passive. - Test in an isolated environment first: verify preflight, allowlists, artifact root behavior, and that run-cmd only permits the exact commands you expect. If you want, I can list the exact lines/scripts that perform downloads, extractions, command execution, and automatic registration to make your audit easier.

Review Dimensions

Purpose & Capability: noteThe name/description (MeshOps control-plane) aligns with the included docs, SKILL.md, and scripts: they implement ring-of-trust, CRDT sync, capability routing, and lifecycle ops. The presence of scripts to install plugins, deploy skills, run commands, and collect logs is coherent with an operator/mesh-control skill. However, the skill manifest shown earlier (registry summary) reported no required env vars/binaries while metadata.yaml inside the package lists several required env vars and binaries (OPENCLAW_* gates, openclaw, jq, curl, tar, sha tools, git). This mismatch is an incoherence to resolve.
Instruction Scope: concernSKILL.md instructs agents to perform broad dispatcher behaviors (auto-register capabilities on load, auto-claim tasks at each reasoning step, write routing metadata into shared Yjs state). Those instructions give loaded agents autonomous authority to discover and claim work across a mesh. The runtime action scripts also read environment gates, write to filesystem locations (/opt/openclaw/skills, /var/lib/openclaw/artifacts), download artifacts from arbitrary HTTPS URLs (deploy-skill), and run CLI tooling. While many of these actions are gated, the SKILL.md's automatic/implicit side-effects (capability registration on load, automated claiming) expand the agent's scope significantly and deserve operator review.
Install Mechanism: okThere is no package-install spec embedded (instruction-only at registry level) and code files are shipped in the skill bundle. The scripts themselves call external network via openclaw plugins install and curl (for deploy-skill) — but those are invoked at runtime and are gated. No opaque downloads from personal IPs or shorteners; deploy-skill requires HTTPS and SHA256 verification. This is acceptable but still risky in practice because extracting remote archives into /opt is high-impact.
Credentials: concernDeclared envs in metadata.yaml (OPENCLAW_ALLOWED_CALLERS, OPENCLAW_ALLOW_HIGH_RISK, OPENCLAW_ALLOW_RUN_CMD, OPENCLAW_ALLOW_DEPLOY_SKILL, OPENCLAW_RUN_CMD_ALLOWLIST, OPENCLAW_ARTIFACT_ROOT) map to the skill's gating design and are not secret credentials, which is proportionate. But the registry summary reported no required envs (contradiction). Also, required envs control powerful actions: if gates are enabled (OPENCLAW_ALLOW_RUN_CMD=1, OPENCLAW_ALLOW_DEPLOY_SKILL=1, OPENCLAW_ALLOW_HIGH_RISK=1) and caller allowlist permits a caller, the skill can download and extract archives and run commands (even though run-cmd has an allowlist, deploy-skill downloads arbitrary artifact URLs). This makes correct gate configuration critical.
Persistence & Privilege: notealways:false and disable-model-invocation:false (normal). The skill's documented behavior includes side-effects on agent startup (capability registration) and automatic claiming at each reasoning step; those are functional choices but increase the blast radius because agents with the skill become eligible executors and can be auto-invoked. Combined with the deploy-skill/run-cmd scripts, this raises risk if gating env-vars or allowlists are misconfigured. The skill does not request system-wide config modification beyond installing skills or writing to /opt when operator-invoked.