Back to skill
Skillv1.0.1
ClawScan security
OpenClaw QuickRef · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 10:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is a documentation-only quick reference for the OpenClaw CLI and config formats; its files and examples are consistent with that purpose and it does not request extra credentials, binaries, or install steps.
- Guidance
- This skill is documentation-only and appears coherent with its stated purpose. Before trusting or using the examples: do not paste real API keys into public/shared files; prefer environment variables for secrets; be cautious when following the CLI examples that install plugins (installing plugins from npm or Git repos can run third-party code); avoid adding untrusted directories to skills.paths; and review any plugin packages you install for provenance before enabling them in OpenClaw.
Review Dimensions
- Purpose & Capability
- okName/description match the provided contents: the skill is an offline quick reference showing CLI commands, config JSON examples, and common patterns. Example environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, DISCORD_TOKEN, etc.) appear only as illustrative placeholders and are appropriate for a config reference.
- Instruction Scope
- okSKILL.md and the reference files contain only documentation and example commands/config snippets. There are no runtime instructions that tell the agent to read arbitrary files, export secrets, call external endpoints, or perform actions outside of giving guidance.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteThe skill does not require any environment variables. It shows common env-var placeholders in examples (OPENAI_API_KEY, ANTHROPIC_API_KEY, DISCORD_TOKEN). This is expected for documentation, but users should not paste real secrets into shared config files or into untrusted skills.
- Persistence & Privilege
- okalways is false and there are no installation scripts or config modifications. Autonomous model invocation is enabled (platform default) but the skill's scope is documentation-only, so autonomy does not broaden capabilities here.