Skillv1.6.2

ClawScan security

Remote Jobs Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 11:23 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Files, instructions, and environment access are consistent with a conversational OpenClaw skill that calls a server-side Remote Rocketship API key via a locally installed gateway extension.
Guidance: This skill appears to be what it says: a conversational job-finder that requires a server-side RR_API_KEY. Before installing, review and do the following: 1) Inspect the included extension files (index.ts/openclaw.plugin.json) — they are small and understandable; they only POST to https://www.remoterocketship.com/api/openclaw/jobs and return the response. 2) Only set RR_API_KEY if you trust the Remote Rocketship account and rotate/revoke keys as needed; store it in the systemd service environment as instructed and restrict access to the host. 3) If you require automatic periodic monitoring (hourly/daily), plan to run a scheduler or add server-side code — the bundle does not include a persistent polling service. 4) Install the files from a trusted source (the GitHub repo link in SKILL.md) and verify future updates come from that repo to avoid supply-chain risks. 5) Run the extension on an isolated host or with appropriate host-level permissions if you’re concerned about key exposure. If you want, I can point out the exact lines in index.ts that send the API key and the HTTP request so you can show them to an admin.

Review Dimensions

Purpose & Capability: okThe skill claims to fetch Remote Rocketship jobs and the bundle includes a small gateway extension that registers rr_jobs_search and posts to remoterocketship.com using an RR_API_KEY. Requiring a server-side API key is appropriate for this purpose.
Instruction Scope: noteSKILL.md stays within scope: it requires using the rr_jobs_search tool, instructs not to ask users for secrets, and specifies the conversational flows and pagination state. One minor gap: the doc mentions optional 'monitoring' (check every hour) but the bundle does not provide a scheduler or persistent monitor — that requires extra server-side setup not included in the skill files.
Install Mechanism: okNo remote downloads or package installs. The provided install-server.sh copies two local files into ~/.openclaw/extensions. This is a low-risk, manual install mechanism; files are readable in the bundle so the behavior is auditable.
Credentials: noteThe gateway extension reads process.env.RR_API_KEY to authenticate requests to Remote Rocketship. That environment variable is appropriate and scoped to the service. Small inconsistency: the skill metadata lists no required env vars, but the runtime extension does require RR_API_KEY — the SKILL.md and README do document this and instruct the admin to set it server-side.
Persistence & Privilege: okalways:false and no attempt to modify other skills or system-wide settings beyond asking the admin to add an Environment entry to the openclaw-gateway service. The extension writes to ~/.openclaw/extensions only and registers one tool; this is proportional for the plugin's purpose.