Skillv0.2.9

ClawScan security

Tophant Clawvault Installer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 6:45 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says — it installs and manages a local ClawVault MITM-style proxy using a dedicated venv and local config — but it legitimately requires actions (MITM inspection, pip installs, and modifying an OpenClaw systemd unit) that have meaningful security and supply-chain implications which you should review before installing.
Guidance: This installer is internally coherent for its stated purpose (a local MITM inspection proxy) but that purpose itself is high-risk and should be intentionally chosen. Before installing: - Read SECURITY.md fully and confirm a MITM proxy fits your threat model — ClawVault will see API requests/responses (including API keys) and stores audit logs locally. - If you do not want the skill to modify OpenClaw integration, run install with --no-proxy and manually wire integration after review. Back up ~/.config/systemd/user/openclaw-gateway.service first. - Prefer installing in a disposable VM/container for initial evaluation. The script creates a venv but will run pip (PyPI or pinned GitHub) with no checksum/signature verification — inspect the pinned tag/commit referenced (v0.1.0) before trusting it in production. - Note default behavior disables TLS verification for proxied connections in order to inspect traffic; review and change that setting if it doesn't match your risk tolerance. - The dashboard binds to localhost by default and has no built-in authentication; use SSH tunneling or a reverse proxy with auth for remote access. - After installation, verify the installed package version and review files under ~/.clawvault-env/ and ~/.ClawVault/ (config, audit.db, logs). Use --no-start if you want to install without launching services. If you want a lower-privilege alternative, do not install this skill on production hosts or on machines storing high-value secrets; test first in an isolated environment.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the script creates a venv (~/.clawvault-env), installs the clawvault package (PyPI with a pinned GitHub fallback), writes config under ~/.ClawVault, can start/stop services, run tests, generate rules, and optionally integrates OpenClaw proxy settings. There are no unrelated credentials or unrelated binaries requested.
Instruction Scope: noteSKILL.md and clawvault_manager.py instruct the agent to run only the bundled Python script and constrain file writes to predictable locations. However, the installer will modify an existing OpenClaw systemd unit (~/.config/systemd/user/openclaw-gateway.service) when present, set proxy-related environment lines, create a venv, download packages, and start background services. Those extra actions are documented but expand the runtime scope beyond merely 'installing a package' (it integrates into another agent runtime).
Install Mechanism: noteNo install spec in registry, but the provided script performs pip installs inside a dedicated venv using a constrained PyPI spec and a pinned GitHub fallback (git+https). This is an expected install method for this purpose, but it carries standard supply-chain risks: no checksum/signature or dependency graph auditing is performed. The code does not download arbitrary archives from unknown personal URLs.
Credentials: noteThe skill declares no required environment variables or credentials and does not request secrets. That is proportionate. Caveat: the installer will inject HTTP_PROXY/HTTPS_PROXY/NO_PROXY (and may set NODE_TLS_REJECT_UNAUTHORIZED or similar) into an existing openclaw systemd unit to route traffic through the proxy — this alters runtime environment for another component, which is a consequential but explained side-effect.
Persistence & Privilege: concernThe skill creates persistent artifacts (venv, config, audit DB, logs) and can start persistent services. Importantly, it conditionally modifies the OpenClaw systemd user unit file to route agent traffic through ClawVault. Modifying another component's configuration is a privileged action and should be accepted explicitly by the operator (the skill offers --no-proxy to skip this). The skill is not force-enabled (always:false) and does not request global/always privileges, which mitigates some risk.