Back to skill
Skillv1.1.3
ClawScan security
Pulse Board · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 12:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, files, and runtime instructions are consistent with its stated purpose (collect cron job outcomes, compose a twice-daily digest, and deliver it); the main risk is expected — raw logs are passed to the configured OpenClaw agent and may leave the host if that agent uses a cloud LLM.
- Guidance
- This skill appears to do what it says. Before installing: (1) review the secrets env file it will source and ensure it contains only credentials you are comfortable sourcing into cron jobs; (2) verify the OpenClaw agent you configure uses a local LLM (e.g., Ollama) if you want to keep raw logs on-host — otherwise the raw pending.log will be included in the prompt and may be sent to a remote LLM; (3) ensure the jobs you plug do not print secrets to stdout/stderr (Pulse Board cannot prevent wrapped jobs from echoing secrets into their detail logs); (4) confirm the exact crontab changes when prompted by install.sh. If privacy is critical, either use the mechanical fallback only, run the digest agent with a local-only OpenClaw setup, or avoid enabling LLM composition.
- Findings
[pre-scan-injection-signals] expected: No injection signals detected. The key behavior of concern (raw log passed to an LLM) is implemented intentionally and is documented rather than hidden — scanner absence is consistent with the visible code.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: scripts create ~/.pulse-board, append per-job lines, compose a digest via openclaw agent (or mechanical fallback), deliver to Telegram/Discord/log, and provide plug/unplug/install helpers. Required binaries and metadata correspond to the behavior.
- Instruction Scope
- noteInstructions and scripts do exactly what's described. They explicitly source a user-provided secrets env (if present) into cron-wrapped commands and pass the raw pending.log to the configured OpenClaw agent as prompt context — this is intentional and documented in multiple places. That behavior enlarges the privacy surface (logs may be transmitted off-host if the agent uses a remote LLM).
- Install Mechanism
- okNo remote download/install is performed — installer is an included script that writes files under the user's home and updates user crontab (via python3). No network installs or opaque external archives are used.
- Credentials
- okNo unexpected credentials or unrelated environment variables are required. Optional env vars and the secrets env file are used only to source delivery credentials and (optionally) LLM/workspace keys; install.sh only appends keys to the secrets env with explicit consent. The scope of env access is proportional to the stated functionality.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills' configurations. It writes only to ~/.pulse-board and the user crontab (user-level). Cron entries and registry files are created/removed via provided scripts with confirmation prompts.