Skillv1.0.1

ClawScan security

PPQ.AI Private Mode · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 3:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with its stated purpose (installing a PPQ private-mode proxy) but they ask you to install third‑party code from GitHub and to store your PPQ API key in your OpenClaw config — actions that carry notable risk and lack verification steps.
Guidance: This skill does what it says (sets up a local PPQ proxy and configures OpenClaw) but requires you to install code from a GitHub repo and to store your PPQ API key in your OpenClaw configuration. Before installing: (1) verify the GitHub repository and its owner (PayPerQ) and inspect the code or releases (prefer a pinned release commit or checksum); (2) back up ~/.openclaw/openclaw.json; (3) consider creating a revocable or limited-scope PPQ key if possible; (4) prefer to run the install commands manually rather than allowing an agent to do them autonomously; (5) after installation, review the plugin's code and network behavior (e.g., confirm it only proxies to PPQ endpoints and doesn't exfiltrate keys). If you don't trust the repo or cannot review the code, do not install.

Review Dimensions

Purpose & Capability: okName and description match the runtime instructions: the skill asks for a PPQ API key, installs a PPQ proxy plugin, updates OpenClaw's config to point at a local proxy, and restarts the gateway. The requested artifacts (API key, plugin install, config changes) are expected for enabling a local encrypted proxy workflow.
Instruction Scope: noteInstructions are narrowly scoped to installing a plugin, merging JSON into ~/.openclaw/openclaw.json, and restarting the OpenClaw gateway. These actions are in-scope for installing a provider plugin, but they touch persistent user configuration and a user systemd service. The doc does not instruct any broad system scans or access to unrelated files, but it also does not require verifying the plugin before installation.
Install Mechanism: noteThere is no embedded install spec, but the instructions call out to `openclaw plugins install https://github.com/PayPerQ/ppq-private-mode-proxy`. Downloading and running code from a third‑party GitHub repository is common but inherently risky without integrity checks or a pinned release; the instructions include no verification (commit hash, checksum, or release tag).
Credentials: okThe only secret requested is the user's PPQ API key (sk-...), which is proportionate to a plugin that must authenticate to PPQ. However, the instructions require persisting that key in OpenClaw's plugin config, which is sensitive — the skill does not provide guidance on secure storage, rotation, or least-privilege keys.
Persistence & Privilege: concernThe instructions modify a user config file (~/.openclaw/openclaw.json) and restart the user's openclaw-gateway.service. Those are reasonable for plugin installation but are high-impact operations. Because the platform allows autonomous invocation by default, an agent could perform these changes automatically. The skill does not request 'always: true', but the potential for automated modification of persistent config and service restart increases risk and warrants user confirmation and code review before running.