openclaw-insight
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-insight Version: 1.0.0 The skill bundle's documentation (SKILL.md) encourages a high-risk installation pattern using 'curl | bash' from an external GitHub repository (github.com/linsheng9731/openclaw-insight). The tool is designed to process sensitive local data, specifically OpenClaw session transcripts and metadata located in '~/.openclaw', which may contain private information or API keys. While these capabilities are consistent with the stated purpose of a usage analyzer, the reliance on unverified remote scripts for installation and the access to sensitive conversation history represent a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it could run unreviewed code on your machine before you have confirmed what it does.
The recommended setup executes a mutable remote install script and installs a downloaded binary, while the reviewed package contains only instructions and no code or install spec to validate that behavior.
curl -fsSL https://raw.githubusercontent.com/linsheng9731/openclaw-insight/main/install.sh | bash ... Download the appropriate binary release
Inspect the installer and release artifacts first, prefer a pinned version with independently verifiable checksums, and avoid piping remote scripts directly to bash unless you trust the source.
The generated report may summarize or expose private details from your local AI assistant history.
The tool is documented as reading local OpenClaw session metadata and transcripts to generate reports; this is purpose-aligned, but those files may contain sensitive prompts, outputs, or workflow details.
~/.openclaw/ agents/{agentId}/ sessions/ sessions.json ... {sessionId}.jsonl # Per-session conversation transcriptsLimit the analysis window and agent scope when possible, review generated reports before sharing them, and only run the tool if you are comfortable with it processing your local session history.