Skillv1.0.0

ClawScan security

Chrome Session Attach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 10:43 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions clearly require access to local OpenClaw files and a Gateway token, but the registry metadata does not declare these sensitive config paths or credentials — this mismatch is a red flag.
Guidance: This skill will instruct you (or the agent) to read files under ~/.openclaw and to copy/load a local Chrome extension that uses a Gateway token from ~/.openclaw/openclaw.json. The registry metadata did not declare those config paths or credentials — that's the primary inconsistency. Before installing or using: (1) Verify the origin and contents of the Chrome extension being loaded; only load unpacked extensions you trust. (2) Confirm the Gateway is intended to run on 127.0.0.1 and that exposing its token to a browser extension is acceptable for your threat model. (3) Inspect ~/.openclaw/openclaw.json yourself rather than running untrusted commands that cat it; avoid pasting the token into third-party sites. (4) Consider not copying sensitive files to a public Desktop folder; use a secure location with strict permissions. (5) Ask the publisher to update the skill metadata to explicitly declare required config paths/credentials (e.g., required config path: ~/.openclaw/openclaw.json) so you can make an informed decision. The mismatch between instructions and declared requirements is why this is flagged as suspicious.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (attach to and control Chrome tabs) matches the runtime instructions (install local extension, connect to a local Gateway, run openclaw browser commands). However, the skill metadata lists no required config paths, env vars, or credentials even though the instructions explicitly read files under ~/.openclaw (extension path and openclaw.json token). The omission is inconsistent and unexplained.
Instruction Scope: concernSKILL.md instructs the user/agent to read local files (cp ~/.openclaw/browser/chrome-extension, cat ~/.openclaw/openclaw.json | jq -r '.gateway.auth.token') and to expose a Gateway token to the extension. These actions go beyond mere UI guidance and require access to sensitive local configuration. While these steps are coherent with the skill's function, they constitute sensitive file access that should have been declared and justified in metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That minimizes supply-chain risk because nothing is downloaded or written by the skill itself beyond the manual copy step the user performs.
Credentials: concernThe instructions require the Gateway token stored in ~/.openclaw/openclaw.json and access to the OpenClaw extension directory. Yet requires.env, primary credential, and required config paths are empty in the registry metadata. Requesting or reading the gateway token is a sensitive operation and should be explicitly declared; its absence is disproportionate and reduces transparency.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent privileges. Autonomous invocation is allowed (platform default) but is not combined with any other elevated or undeclared access in the metadata.