Threat Radar
PassAudited by ClawScan on May 10, 2026.
Overview
Threat Radar appears to be a disclosed security-monitoring skill, but it inspects local Docker/dependency/network/OpenClaw configuration data and can persist scan history or scheduled scans.
Install this only if you want a local security-monitoring tool. Before enabling full or scheduled scans, confirm the network scope, review alert destinations, and protect the generated reports, database, and logs. No artifact-backed malicious behavior was found.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scan may reveal local images, dependencies, open ports, and services, and could be inappropriate on networks the user does not own or administer.
The skill explicitly supports Docker and local-network scanning, which can enumerate systems and services. This is central to the security-scanning purpose, but users should control where it runs.
threat-radar scan --docker ... threat-radar scan --ports # Port scan (local network)
Run scans only on systems and networks you are authorized to assess, and review configuration before using full scans or scheduled scans.
Reports may reveal details about the user's OpenClaw security posture and where sensitive configuration exists.
The skill may inspect security-sensitive OpenClaw configuration and credential-file permissions. The artifact frames this as permission checking, not secret reading or account mutation.
OpenClaw config security — checks your OpenClaw setup against best practices ... Credential file permissions ✓ 600
Keep generated reports private and verify that any shared output does not include secrets or sensitive configuration details.
Users have less external context for verifying the author, project history, or release source.
The skill's provenance is not documented in the supplied metadata. No remote installer or hidden dependency is shown, so this is a supply-chain clarity note rather than a malicious indicator.
Source: unknown; Homepage: none
Inspect the included files before installation and prefer a pinned, trusted source if one becomes available.
Anyone with access to those files may learn about local services, package versions, or vulnerabilities.
The code stores scan state, history, and logs under the OpenClaw workspace. This is expected for monitoring but creates a local record of environment and vulnerability information.
self.db_file = self.config_dir / "threat-radar.db" ... self.history_file = self.config_dir / "history.jsonl" ... self.log_file = self.config_dir / "threat-radar.log"
Protect the .openclaw workspace, avoid sharing logs/reports publicly, and remove stored data if the skill is no longer used.
Security findings could appear in third-party chat systems or be visible to channel members.
Alerting through external messaging providers can transmit vulnerability or asset details outside the local environment. This is disclosed and purpose-aligned, but it is a sensitive data boundary.
Alerts you via WhatsApp/Telegram/Discord when new vulnerabilities affect your stack.
Configure alert destinations carefully, use private channels, and avoid sending secrets or unnecessarily detailed internal asset information.
If enabled, scans may continue running after the initial setup until removed.
The skill documents optional scheduled background scans and also documents removal. This is consistent with continuous monitoring but is still persistent behavior.
threat-radar cron-install # Set up scheduled daily scans + CVE checks threat-radar cron-remove # Remove scheduled scans
Use cron-install only if you want ongoing monitoring, and use cron-remove or inspect your scheduler when disabling the skill.