Skillv1.0.0

ClawScan security

cz-studio-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 10:06 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This skill's code, instructions, and requested credentials are consistent with its stated purpose (a local Node-based bridge to a remote Studio Agent); nothing obvious is requesting unrelated credentials or performing unexplained network downloads.
Guidance: This skill appears to do what it says: run local Node scripts that proxy JSONL to a Studio WebSocket. Before installing or running it, review the example config and decide where CZ_AGENT_TOKEN and CZ_AGENT_WS_URL will be stored. The configure/apply step will write to your OpenClaw config (and can restart the gateway), which is expected but is a privileged action. Also be aware that the oneshot/proxy scripts inherit the agent process environment — avoid running the agent with unrelated secrets in environment variables you don't want the proxy to see. If you want extra caution, inspect the full scripts locally and run the validate step (node .../configure-skill.mjs validate) in dry-run mode before apply.

Review Dimensions

Purpose & Capability: okName/description, declared primaryEnv (CZ_AGENT_TOKEN), and required binary (node) match the included scripts and documented behavior. The skill legitimately needs CZ_* connection/config values and access to the OpenClaw skill env map to build a WebSocket connection to a Studio Agent.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to read the OpenClaw config (skills.entries['studio-agent'].env or ~/.openclaw/clawdbot.json) and to run local Node scripts that proxy JSONL messages to a remote WebSocket. This is expected for the bridge, but the runtime does read and propagate CZ_* env values and may inherit the agent's full process.env when spawning the proxy/runner — users should be aware the proxy process will run with the agent's environment.
Install Mechanism: okNo download/extract/install spec is provided (instruction-only with bundled scripts). The scripts are local Node programs; nothing is fetched from arbitrary URLs or third-party registries during install.
Credentials: noteRequested/used environment variables are all CZ_* connection/config variables relevant to connecting to a Studio WebSocket (CZ_AGENT_WS_URL, CZ_AGENT_TOKEN, CZ_INSTANCE_ID, etc.). This is proportionate. A notable behavior: the oneshot proxy spawns a child process inheriting process.env and merges in skill env — that means any env present in the agent process will be visible to the spawned proxy process, so users should avoid running the agent with unrelated secrets in environment if they don't want them exposed to the proxy process.
Persistence & Privilege: notealways:false (no forced inclusion). The included configure-skill script can write the skill's env into the OpenClaw config and optionally run 'openclaw gateway restart' (via execFileSync) when applying changes. Modifying the OpenClaw skill env is expected for configuration, but it is a privileged action — the user should understand that running the 'apply' step will change their OpenClaw config and may restart gateway services if requested.