Bomb Dog Sniff
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate skill scanner, but its safe-install path runs an unpinned external npx downloader with your environment before the downloaded skill is scanned.
Use the scan and audit commands normally, but be cautious with safe-install. Before trusting it, the maintainer should pin or remove the npx clawhub@latest downloader path, restrict child-process environment variables, and clearly document required local tools such as Node.js, npx, and unzip.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running safe-install could execute newly fetched downloader code from npm before Bomb Dog Sniff has scanned the target skill.
safe-install invokes an unpinned npm package using @latest. That package runs before the downloaded skill is scanned, creating a supply-chain path outside the skill's advertised quarantine-and-scan protection.
const child = spawn('npx', ['clawhub@latest', 'download', sanitizedName, skillPath], {Pin the downloader version, verify its provenance, or use a built-in/download-only API that does not execute unreviewed package code before scanning.
Credentials stored in environment variables may be exposed to the external downloader process.
The npx downloader receives the caller's full environment. If the environment contains API keys, OpenClaw tokens, or other credentials, the unpinned child process can access them.
env: { ...process.env, NODE_NO_WARNINGS: '1' },Pass a minimal allowlisted environment to child processes and declare any required credentials explicitly.
The skill relies on local binaries during safe-install, so behavior depends on the local unzip command and downloaded archive handling.
The skill uses a local external command to extract downloaded archives. This is purpose-aligned for a downloader/scanner, but users should know it depends on local command execution.
const child = spawn('unzip', ['-q', '-o', zipPath, '-d', destDir], {Keep extraction confined to quarantine, validate archive contents, and declare required binaries in metadata.
If the scanner misses a threat or the download path is compromised, a skill could be installed into your local OpenClaw workspace.
The skill can install skills from external sources into the user's OpenClaw environment. This is the advertised purpose, but it is a high-impact mutation workflow.
safe-install <source> [options] ... Download from clawhub/GitHub, scan, and install only if safe.
Prefer --dry-run for unfamiliar sources, review findings manually, and avoid treating a clean score as a guarantee of safety.
Users may assume a skill is definitely safe after scanning, even though static scanners can miss malicious behavior.
The wording strongly implies safety guarantees. The scanner is signature-based and its own safe-install implementation has supply-chain caveats, so users should not over-trust the claim.
Quarantine → Scan → Install only the safe ones.
Describe the scanner as risk-reducing rather than guaranteeing safety, and document known limits clearly near the install command.