Back to skill
Skillv0.1.1
ClawScan security
OpenClaw Contributor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 11:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and minimal runtime demands line up with its stated purpose of helping prepare OpenClaw PRs; it asks for no credentials, no installs, and only runs local git/PNPM-related checks appropriate to that task.
- Guidance
- This skill appears coherent and appropriate for preparing OpenClaw PRs. Before running it: (1) review the two bundled scripts (they only call git and produce validation recommendations / PR text) and the SKILL.md to ensure you are running them against the intended checkout, (2) run them in a trusted or sandboxed workspace (don't point them at an unknown/untrusted repo), and (3) note that the skill expects standard developer tools (python3, git, pnpm) to be present when you follow the recommended validation commands. There are no network callbacks, no credential requests, and no odd install steps; it's safe-looking for its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the included resources: SKILL.md, PR template, checklist, and two helper scripts that generate validation recommendations and PR bodies. The requested actions (inspect CONTRIBUTING.md, run recommend_checks.py, run pnpm build/check/test) are appropriate for preparing OpenClaw contributions.
- Instruction Scope
- okSKILL.md instructs the agent to read repo-local CONTRIBUTING.md and run the bundled scripts against a local checkout. The scripts call git and derive recommended commands; they do not call external network endpoints or attempt to read unrelated system config. The runtime instructions are scoped to repository validation and PR prep.
- Install Mechanism
- okNo install spec is provided (instruction-only skill with bundled scripts). No external archives or download URLs are used. Risk from installation is minimal.
- Credentials
- okThe skill does not declare or require environment variables, credentials, or config paths. The scripts operate on a local git repo path supplied by the user; no secrets are requested or used.
- Persistence & Privilege
- okalways:false and normal model invocation are used. The skill does not modify other skills or agent-wide config and does not request permanent elevated presence.