Back to skill
Skillv1.0.0
ClawScan security
gateway-control-ui · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 11, 2026, 10:19 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The instructions match the stated purpose (logging into the Control UI and approving pairing) but the skill references sensitive local files and credentials that are not declared in the registry metadata and includes insecure guidance (embedding credentials in a URL).
- Guidance
- This skill appears to genuinely guide UI login and pairing, but it instructs reading a local config file (/data/.openclaw/openclaw.json) and using credentials (SERVICE_USER_OPENCLAW / SERVICE_PASSWORD_OPENCLAW) that are not declared in the metadata. Before installing or allowing autonomous use: (1) prefer running these steps manually rather than giving an agent automatic filesystem/auth access; (2) do not embed credentials in URLs — use the UI's login form or a secure credential store; (3) ask the publisher to update the skill metadata to declare required config paths and env vars so you can judge what will be accessed; (4) if you must run via the agent, restrict its permissions so it can only read the specific config file and nothing else, and audit logs for access to secrets.
Review Dimensions
- Purpose & Capability
- concernThe skill's described purpose (UI login, paste gateway token, approve pairing) aligns with the commands shown (openclaw CLI, cat). However the SKILL.md requires reading /data/.openclaw/openclaw.json and using SERVICE_USER_OPENCLAW/SERVICE_PASSWORD_OPENCLAW values while the manifest declares no required config paths or env vars — an inconsistency that should be explained.
- Instruction Scope
- concernThe runtime instructions explicitly tell an agent to read a host filesystem path (/data/.openclaw/openclaw.json) and to use credential values (SERVICE_USER_OPENCLAW, SERVICE_PASSWORD_OPENCLAW) that are not declared. It also suggests embedding user:pass in a URL (https://user:pass@...), which is insecure. These steps can expose secrets and grant access to sensitive state; they extend beyond purely UI navigation guidance.
- Install Mechanism
- okNo install spec and no code files — instruction-only reduces installation risk. Declared required binaries (openclaw, cat) are reasonable for the task.
- Credentials
- concernThe skill declares no required environment variables or config paths, yet the instructions reference SERVICE_USER_OPENCLAW, SERVICE_PASSWORD_OPENCLAW, and a specific config file path containing the gateway token. Requesting access to those secrets/configs would be proportionate to the task, but the omission in metadata is a mismatch and makes it unclear what the skill expects to access.
- Persistence & Privilege
- okalways:false and no install activity; the skill does not request persistent presence or modifications to other skills. Autonomous invocation is allowed (platform default) but is not combined here with unusual privileges.