Skillv3.3.0

ClawScan security

ERP Claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 10:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its ERP purpose (Python + git, local SQLite DB) but includes self-extending/module-install and web-deploy behaviors that are under-specified and could allow downloading/executing code; these aspects need further review before installing.
Guidance: This skill appears to be a full-featured local ERP implemented in Python and using a local SQLite DB, which fits its description. However, before installing or enabling it you should: 1) Inspect module_manager.py and any install/update code to confirm module installs are restricted to trusted sources (SKILL.md claims GitHub avansaber/* only). 2) Review the 'setup-web-dashboard' and any deployment scripts to understand what system services (nginx, ports, docker, root privileges) they require — those tools are not declared as dependencies. 3) Run the skill in an isolated/test environment first (not on production hosts) so you can observe network calls and file writes under realistic usage. 4) Backup any important data in ~/.openclaw before use. 5) If you want a deeper check, provide the module_manager.py and setup-web-dashboard-related files so I can verify whether remote code fetches are properly restricted and require explicit confirmation.

Review Dimensions

Purpose & Capability: noteThe skill's name/description align with the required binaries (python3, git) and local SQLite usage. However the SKILL.md advertises self-extending modules and a 'setup-web-dashboard' that auto-clones, builds and deploys with nginx+SSL — capabilities that imply additional tools (node, npm, build toolchain, nginx, or docker) and privileges which are not declared in the manifest. That mismatch is noteworthy.
Instruction Scope: concernRuntime instructions and SKILL.md emphasize local-first storage (~/.openclaw/erpclaw/data.sqlite) and say network operations (fetch-exchange-rates, install-module/update-modules) require user confirmation. However the repo contains an OS layer (erpclaw-os) and module management/generator scripts (generate_module, install_suite, module_manager, in_module_generator) that can create/install modules and auto-clone repositories. It is unclear from the manifest whether module installation is strictly limited to vetted avansaber/* GitHub repos or whether arbitrary code could be fetched/executed; the SKILL.md promises confirmation before installs but enforcement is not visible here. The 'setup-web-dashboard' step that auto-clones/builds/deploys is a further scope creep: it may touch system services and network ports beyond the stated local-only model.
Install Mechanism: okThere is no install spec (instruction-only) so nothing will be automatically downloaded or extracted by the platform installer. That lowers supply-chain risk from the registry. Still, the included scripts themselves perform runtime operations that may fetch code (module installs) when invoked.
Credentials: okThe skill declares no required environment variables and only an optional ERPCLAW_DB_PATH to override the default local DB path. Storing data in ~/.openclaw/erpclaw/data.sqlite is consistent with the ERP purpose. It does not request unrelated cloud credentials or broad system config paths in the metadata.
Persistence & Privilege: notealways:false and normal autonomous invocation are used. The skill includes cron entries that schedule suggested actions (e.g., process-recurring, generate-recurring-invoices). If the platform runs those cron-triggered actions automatically, the skill could perform periodic DB operations. This is not necessarily malicious, but combined with module-install and web-deploy capabilities (which could alter runtime behavior or add services) it increases the blast radius and should be considered.