Skillv2.0.1

ClawScan security

Web Claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 12:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The files, scripts, and runtime instructions are coherent with a web dashboard installer: it legitimately needs elevated privileges, system packages, and to fetch the project source from GitHub; review and trust the upstream repo before running.
Guidance: This skill is internally consistent with its description, but it will perform system-level changes: it clones code from GitHub (pinned tag v2.1.0), installs packages into a venv, builds frontend assets with npm, writes nginx/site configs and systemd service units, and enables persistent services. Before installing: (1) verify and review the upstream GitHub release tag and templates (nginx/systemd) to ensure you trust the source; (2) be prepared to run with sudo and to restore/backup nginx and systemd configs if needed; (3) ensure DNS for any domain you plan to use points to the server before running certbot; (4) if you run other OpenClaw skills, note webclaw may import a shared erpclaw lib under ~/.openclaw — this is optional but examine it if present. If uncertain, test in a VM or isolated host first.

Review Dimensions

Purpose & Capability: okThe skill claims to install and run a web dashboard and the included assets match that purpose: nginx, certbot, python, node/npm, systemd services, a local SQLite DB, and a pinned GitHub clone are all expected for this functionality.
Instruction Scope: noteSKILL.md directs running check_deps.sh and install.sh which perform network fetches (git clone of a pinned release tag), install Python/npm deps, initialize a local SQLite DB, and write nginx/systemd configs. db_query.py also reads/writes the local DB and may import an erpclaw shared library from ~/.openclaw/erpclaw/lib if available — this is a cross-skill shared-lib usage (fallbacks exist). All actions are within the dashboard's scope but because they touch system config and other OpenClaw paths, review is advised.
Install Mechanism: noteThere is no platform package install spec; installation is driven by included scripts which clone the repo from GitHub (https://github.com/avansaber/webclaw at tag v2.1.0), create a venv, run pip/npm, and write files into /etc and systemd. Using a pinned GitHub tag reduces risk, but the installer does fetch and execute code from the network and will write system-wide configs.
Credentials: okThe skill does not request secrets or external API keys. It exposes an optional WEBCLAW_DOMAIN env var and uses SUDO_USER and the current user's home for paths — these are reasonable for a service installer. db_query.py inspects /etc/nginx/sites-enabled/webclaw and ~/.openclaw for local data, which aligns with its management role.
Persistence & Privilege: noteThe installer requires sudo and will create/enable systemd services and nginx configs (persistent, system-wide presence). This is expected for a web service but is a high-privilege operation — ensure you are prepared for system-level changes.