Skillv1.0.0

ClawScan security

智能盯盘 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 6:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches a market-watching plugin, but there are inconsistencies (missing declared env var), an opaque external WebSocket endpoint, and an unstated npm dependency which together warrant caution.
Guidance: This skill appears to implement the stated market-watching functionality, but exercise caution before installing or supplying credentials. Ask the publisher for: (1) why registry metadata omits the required OPENCLAW_WS_TOKEN (confirm exactly what environment variable is required), (2) the npm package source URL or a checksum/repository for openclaw-glance-plugin so you can audit it, (3) clear documentation of what data is sent to ws://glanceup-pre.100credit.cn and what the token authorizes, and (4) whether a secure wss:// endpoint is available (ws:// is unencrypted). Avoid installing the npm package globally until you verify the package origin and contents. If you must test, use an isolated environment and a token with minimal privileges.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (market watch/alerts) aligns with the code and instructions: it connects to a bridge, submits watch demands, and receives trigger events. However the SKILL.md and scripts require an OPENCLAW_WS_TOKEN environment variable but the registry metadata lists no required env vars — that's an internal inconsistency. Also the skill asks users to install an external npm package (openclaw-glance-plugin) that is not bundled or referenced by registry metadata or a homepage, which is disproportionate to a simple instruction-only skill.
Instruction Scope: concernRuntime instructions and the script explicitly connect to a fixed external WebSocket bridge (ws://glanceup-pre.100credit.cn) and use the token from OPENCLAW_WS_TOKEN. The SKILL.md tells the agent to create monitors and send notifications (openclaw/email/call). The code logs trigger events but does not show fine-grained controls for what exactly is sent to the bridge; thus the bridge could receive user-provided monitoring parameters and possibly runtime events. The instructions do not ask the agent to read unrelated files, but the explicit external endpoint and token usage means sensitive data (the token and monitoring parameters) will be transmitted externally.
Install Mechanism: concernThere is no formal install spec in the registry, but SKILL.md instructs the user to run `npm install -g openclaw-glance-plugin`. That pulls code from the public npm ecosystem (moderate risk). The code imports OpenClawPluginAdapter from that package; the package's source, integrity (checksum), and publisher are not provided. The external bridge URL is a non-HTTPS ws:// endpoint on a third-party domain (100credit.cn), which increases risk compared to documented, auditable release hosts.
Credentials: concernThe only secret used is OPENCLAW_WS_TOKEN (required by both SKILL.md and scripts). That token is sensible for a WebSocket authentication use-case, so a single credential is proportionate — but the registry metadata failing to declare any required env vars is an incoherence. Users need to know what the token grants and what data the bridge can access; the SKILL.md says token is obtained from a webpage but provides no privacy/security explanation.
Persistence & Privilege: okThe skill is not always-included and does not request elevated platform privileges. It does not modify other skill configs or system-wide settings. The plugin connects to an external service at runtime but does not request persistent agent-level privileges beyond normal operation.