Skillv0.1.2

ClawScan security

Claw Wiki · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 4:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it bundles a local OpenClaw docs snapshot plus scripts to validate, index, and refresh that snapshot and does not request unrelated credentials or system privileges.
Guidance: This skill appears to do exactly what it claims: answer from a checked-in OpenClaw docs snapshot and optionally refresh that snapshot using the included Python scripts. Before installing or running a refresh: - Inspect the sync script (scripts/sync_docs.py) to verify it only clones/fetches the intended upstream (or respects a pinned repo/ref) and does not accept arbitrary URLs from untrusted inputs. - Note that refresh requires network, git, and will write inside the skill folder (openclaw_docs/, state/, docs.json). Prefer installing the skill in a workspace-local skills directory, not a globally shared location, unless you trust the source. - The static scanner flagged potential prompt-injection and unicode-control-character patterns in SKILL.md. Although the skill includes an explicit Safety Contract, manually review SKILL.md and the scripts for any hidden/obfuscated directives before granting the agent permission to run an automated refresh. - Disable or explicitly approve any autonomous refresh actions (do not let the agent run the sync flow without your confirmation). If you want extra assurance, run the maintenance scripts yourself from a controlled environment (with a vetted upstream repo) rather than allowing the skill to do remote sync autonomously.
Findings: [system-prompt-override] unexpected: The static scanner flagged system-prompt-override patterns in SKILL.md. The SKILL.md actually contains an explicit 'Safety Contract' restricting behavior rather than an obvious attempt to override the system prompt, but any text that looks like prompt-control language is worth attention. Reviewers should confirm the skill will not attempt to alter agent/system prompts at runtime. [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md content. This can be used to obfuscate instructions or influence text rendering. The presence is not expected for a docs lookup skill; inspect the SKILL.md and surrounding files to ensure there is no hidden/injected control content.

Review Dimensions

Purpose & Capability: okName/description match the repo contents. The bundle contains a large local docs corpus and maintenance scripts (sync, validate, build, diff) which are appropriate for a documentation lookup + refresh skill. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md restricts runtime behavior to reading the checked-in docs and running the included Python maintenance scripts only when the user explicitly requests a refresh. That is coherent with the purpose. Minor caveat: refresh operations involve git clone/fetch and network access; if invoked with arbitrary repo URLs (the scripts accept repo params in README examples) they could pull unexpected content. SKILL.md states a pinned upstream should be used, but the scripts themselves should be reviewed before running a remote sync to ensure they enforce the expected source.
Install Mechanism: okNo install spec — instruction-only skill loaded from workspace. All code is included in the bundle (Python scripts and docs). README notes Python 3.10+, git, and ripgrep (rg) as recommended tools; there are no external archives or remote installers in the install spec.
Credentials: okThe skill requires no environment variables or credentials. SKILL.md and SECURITY.md explicitly forbid credential discovery/exfiltration and treat example tokens in docs as inert. The only resources touched are files inside the skill directory and upstream docs when a refresh is requested.
Persistence & Privilege: okSkill is not always-enabled and requests no elevated platform privileges. It writes only inside its own directory (openclaw_docs/, docs.json, state/) during refresh according to its guardrails. It does not declare any cross-skill or system-wide configuration modifications.