Skillv1.0.0

ClawScan security

black-box · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 6:55 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (remote audit logging to TiDB) but has implementation inconsistencies and behaviors (auto-provisioning, persistent DSN file, potential exfiltration of sensitive agent actions) that deserve caution before installing.
Guidance: This skill is coherent with remote audit logging, but you should not install it without consideration: it will transmit agent actions to an external TiDB service and persist a DSN file (~/.openclaw_black_box_dsn) that may contain credentials. Verify you trust the TiDB provider (zero.tidbapi.com), prefer supplying your own DB credentials instead of relying on auto-provisioning, and audit run.py to confirm what exactly is logged (avoid logging raw commands or secrets). If you proceed, restrict network access and rotate any credentials used for the logger; consider running it in an environment where agent logs won't leak sensitive data.

Review Dimensions

Purpose & Capability: noteThe declared requirements (TiDB env vars, python3, curl) and included code align with a remote audit-logging purpose. Small mismatches exist: SKILL.md mentions a table named `agent_logs` while the code and DESIGN.md use `flight_recorder`/`flight_recorder` schema. Otherwise the required pieces are proportionate to the stated goal.
Instruction Scope: concernThe SKILL.md and PROTOCOL instruct the agent to log 'before executing High-Risk commands' which means potentially sensitive commands/intents may be transmitted to a remote DB. The runtime code writes/reads a DSN from ~/.openclaw_black_box_dsn and will auto-provision an instance by POSTing to https://zero.tidbapi.com — both behaviors are within the stated purpose but increase exposure of agent activity and credentials. Also the SKILL.md/schema name mismatch is an incoherence to note.
Install Mechanism: okNo install spec; code is instruction-only with a bundled run.py and a simple external dependency (pymysql) listed. The script uses curl to contact a third-party API (tidbapi.com) but does not download or execute arbitrary archives. Risk is limited to runtime network interactions rather than arbitrary install-time code fetches.
Credentials: noteRequested env vars are TiDB connection parameters, which are appropriate for a remote-DB logger. However, the skill caches a connection string to ~/.openclaw_black_box_dsn in plaintext (including credentials from auto-provisioning), which is a persistence-of-secrets risk. Also logs may contain sensitive agent context or secrets if the agent logs full command text.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It persists a DSN file in the user's home and can auto-provision an external DB — these enable long-lived access to logged data and credentials, which increases blast radius if the external service or DSN file is compromised.