Skillv0.1.0

ClawScan security

Archon Vault · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 6:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (vault backups/restores) but there are multiple inconsistencies and some risky runtime behavior (npx network pulls, undeclared runtime deps, and a recovery script that asks for a mnemonic on the command line) that warrant caution before installing or running it.
Guidance: This skill mostly matches its stated purpose (backup/restore Archon DID vaults) but has several practical and security issues you should consider before installing or running it: - Missing runtime dependency declarations: the scripts use jq and sqlite3 (and rely heavily on zip/unzip), but these are not listed in the skill manifest. Ensure those tools are installed before running. - npx usage: the scripts call npx @didcid/keymaster at runtime. npx fetches code from the npm registry each run — review the @didcid/keymaster package source and trustworthiness before allowing runtime network installs. - Mnemonic handling risk: disaster-recovery.sh requires the 12-word mnemonic as a command-line argument, which can be observed via ps and saved to shell history. Prefer methods that read the mnemonic from a secure prompt or file with restricted permissions instead of a CLI arg. - Passphrase exposure: scripts source ~/.archon.env and export ARCHON_PASSPHRASE so child processes can access it. This is necessary for npx but increases exposure; protect ~/.archon.env and avoid running these scripts in multi-user environments. - Backup scope: defaults archive your workspace (script uses $PWD) and ~/.openclaw and may include sensitive data. Review and populate .backup-ignore carefully and run the backup from the correct working directory (the script warns about running from $HOME or /). - External endpoint: by default uploads go to https://archon.technology. If you need to avoid third-party servers, set ARCHON_GATEKEEPER_URL to a trusted local endpoint. Recommended actions before using: 1) Inspect the @didcid/keymaster package source/version that npx will fetch. 2) Install and verify jq, sqlite3, zip/unzip if you plan to run verification scripts. 3) Never pass your mnemonic on the command line; modify disaster-recovery.sh to read it from stdin or a protected file. 4) Backup and test in a controlled environment; verify .backup-ignore excludes anything sensitive. 5) If you cannot audit the upstream npm package, avoid running npx calls on a machine with sensitive data. Given the combination of undeclared deps, runtime package fetching, and unsafe mnemonic handling, proceed only after addressing these issues or classify the skill as high-risk for machines holding sensitive data.

Review Dimensions

Purpose & Capability: noteThe requested credentials (ARCHON_WALLET_PATH, ARCHON_PASSPHRASE) and the use of @didcid/keymaster align with an Archon DID vault backup/restore skill. However the declared required binaries mismatch what the scripts actually use: SKILL.md lists node, npx, tar and optionally zip/unzip/sha256sum, but the scripts rely heavily on zip/unzip, jq, sqlite3, du and unzip/zip; tar is declared but not used. This is inconsistent and suggests the manifest was not kept in sync with the code.
Instruction Scope: concernThe scripts will archive user workspace and ~/.openclaw and upload them to an external gatekeeper (default https://archon.technology). They also back up hexmem.db (memory) and will source ~/.archon.env (which contains the passphrase). The disaster-recovery script accepts a 12-word mnemonic as a plain CLI argument — this leaks the mnemonic to process listings and shell history. The scripts export ARCHON_PASSPHRASE into the environment for npx subprocesses, which exposes secrets to child processes. These behaviors are within a backup tool's domain but are sensitive and should be highlighted and mitigated.
Install Mechanism: concernThere is no install spec, but the scripts call npx @didcid/keymaster at runtime. npx will fetch and execute packages from the npm registry at runtime, which means network-downloaded code runs on the machine whenever used. That is expected for npx usage but is higher-risk than a shipped, pinned binary. Also the manifest does not declare runtime dependencies like jq and sqlite3 that the scripts use.
Credentials: noteRequesting ARCHON_WALLET_PATH and ARCHON_PASSPHRASE is proportionate for a vault wallet tool. However the scripts also reference ARCHON_GATEKEEPER_URL (not listed in requires.env) and they source ~/.archon.env (implicitly relying on it). Exporting the passphrase for npx child processes and accepting mnemonics on the command line are sensitive practices that increase exposure of credentials.
Persistence & Privilege: okThe skill is not always: true, does not request system-wide config changes, and does not attempt to modify other skills. Autonomous invocation is allowed by default but is not, by itself, a red flag here.