Skillv0.4.1

ClawScan security

Zhuaxia · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 2:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the advertised export/import functionality, but its runtime instructions ask the agent to silently read files in your home directory and call an undeclared external command (clawhub), so review the script and behavior before installing.
Guidance: Things to consider before installing: - The skill will read files under ~/.openclaw (IDENTITY.md, config, workspace) and search common folders for .claw files. This is consistent with backup/import, but the SKILL.md says these reads happen 'silently' before asking — if you don't want that, don't allow the skill to run until you've reviewed it. - The instructions call an external command 'clawhub' (and reference clawctl usage) but the skill metadata only declares node as required. Confirm that 'clawhub' is present on your system or understand what will happen when that command is missing. - Review scripts/clawctl.mjs yourself (or run it in an isolated sandbox) to verify there are no network exfiltration calls, that credential-stripping works as claimed, and that backups are created where you expect. - If you plan to share .claw files, inspect a generated package in a safe environment and verify secrets were removed before distributing. - If unsure, run the tool manually from a terminal (node scripts/clawctl.mjs --help) rather than allowing autonomous agent invocation, and consider running it on a disposable VM or container first.

Review Dimensions

Purpose & Capability: noteThe claimed purpose (export/import OpenClaw instances) matches the included CLI script and file operations. Required binary 'node' is reasonable. However, the SKILL.md instructs running 'clawhub list' (and references clawctl for rollback) even though 'clawhub' (or clawctl as a separate binary) is not declared as a required binary — a minor incoherence.
Instruction Scope: concernThe SKILL.md explicitly tells the agent to 'silently gather' local data (ls ~/.openclaw/workspace/, cat IDENTITY.md, check ~/.openclaw/openclaw.json, search common folders for .claw files) before asking the user. Reading these user files is plausible for export/import, but doing so without asking is scope creep and a privacy risk. The instructions also run an external tool ('clawhub') not declared in requirements.
Install Mechanism: okThere is no network install spec and no downloads; the skill ships a local Node script (scripts/clawctl.mjs) and expects node on PATH, which is proportionate. No extract-from-URL or third-party package install step was specified in registry metadata.
Credentials: okThe skill does not request environment variables or credentials. It does read files under ~/.openclaw (workspace, IDENTITY.md, config), which is consistent with backing up an OpenClaw instance, but users should be aware those files can contain sensitive information despite claims of automatic stripping.
Persistence & Privilege: okThe skill is not always: true and does not request elevated or system-wide configuration changes. It creates backups under ~/.openclaw/.zhuaxia-backups/ (expected for its purpose) and does not appear to modify other skills' configs per the provided instructions.