Skillv0.9.2

ClawScan security

Multi User Privacy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files broadly match its stated goal (multi-user privacy and per-user subagents), but there are several mismatches and risky behaviors (automatic subagent creation, a cold-start that lets the first connecting user become admin, networked web/admin and monitoring components, and undocumented external integrations) that merit review before installing.
Guidance: This skill is feature-rich and mostly coherent with a 'multi-user privacy' purpose, but there are several red flags you should check before installing: - Review the code yourself (or have an engineer do it) before running any install/post-install scripts (auto-mount, auto-create-subagents, monitoring start scripts). Those scripts run on your machine and can create services, cron jobs, or write files under ~/.openclaw. - The 'cold-start' flow lets the first user who talks to a fresh instance designate the admin account. On a new deployment that could be any external user — consider disabling or changing this behavior before using in production. - The skill includes a web-admin server and monitoring/alert scripts. If you enable them, make sure they are bound to localhost or protected by authentication and firewall rules. Do not expose the admin UI publicly without auditing it. - The project references external integrations (GitHub publishing, 飞书/other alerts) but declares no required env vars. If you provide tokens/webhooks, audit where they are stored and ensure the code uses them only for intended actions. - Test in an isolated environment (VM/container) first. Verify that automatic subagent creation, pending-queue processing, and sessions_spawn interactions behave as expected and do not create unintended processes or network listeners. - If you plan to use it in a shared or production instance, require an explicit admin approval step for subagent creation and remove/modify the cold-start 'first-user becomes admin' flow. Bottom line: the skill is not obviously malicious, but it performs privileged, persistent, and networked operations; proceed only after code review and running inside a controlled/sandboxed environment.

Review Dimensions

Purpose & Capability: noteThe codebase (privacy-guard, subagent integration, session persistence, web-admin, monitoring, quota manager) aligns with the stated multi-user privacy, isolation, and quota goals. However the project also includes web server components, monitoring/alert scripts, GitHub publish scripts and '飞书' alert mentions but declares no required env vars or credentials — a mismatch between claimed integrations and declared requirements. The presence of many system-level scripts (auto-mount, auto-create-subagents.sh, systemd/cron examples) is heavier than a minimal 'privacy guard' and should be expected only if you want full gateway/service-level integration.
Instruction Scope: concernSKILL.md and scripts instruct the agent / operator to read and write many local config and state files (~/.openclaw/workspace, .user-context.json, memory files, router-db, pending queue, quota DB) and to integrate directly into the Gateway message flow. It also prescribes automatic creation of subagents (pending queue → sessions_spawn), running scripts, restarting gateway, and starting a web admin on port 3456. Those instructions grant broad filesystem and runtime control and include a 'cold-start' flow that allows the first contact user to set the administrator identity — a significant trust boundary that could be abused on a fresh instance.
Install Mechanism: okNo install spec is registered in the metadata (instruction-only), so the package does not automatically download remote code during install. That reduces supply-chain risk from the registry metadata. However docs and release notes reference post-install scripts (node auto-mount.js) and a GitHub release; following those manual steps will execute local scripts from this package, so users should review them before running.
Credentials: concernThe skill requests no environment variables or credentials in its registry metadata, yet the codebase and docs reference external integrations (GitHub publishing, 飞书 alerts, monitoring, web admin) that normally require tokens/webhooks. That mismatch is concerning because the code contains tooling that reads/writes local credential-bearing config files and can start network services without declaring needed secrets. Also the skill manipulates local agent config/state files (user context, memory, router DB), which is proportionate to its goals but means it will have access to potentially sensitive local data.
Persistence & Privilege: concernWhile the skill is not marked always:true, it installs components that intend to run persistently (web-admin server, monitoring, cron/systemd examples, scripts to process pending queues) and instructs integration with the Gateway message pipeline. The cold-start design (first user can set admin) and the automatic subagent creation (no manual approval) increase privilege and persistence risk on new deployments. Combined, these behaviors create a substantial runtime footprint that should be intentionally approved and sandboxed.