Skillv1.1.0

ClawScan security

Signal Pipeline · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 22, 2026, 8:28 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (collects RSS/X/Telegram/Gmail newsletters and writes local SQLite/dbs and drafts), but it omits and hardcodes several operational requirements and writes into a user/agent workspace path — those inconsistencies merit caution before installing or running.
Guidance: Before installing or running: 1) Expect to configure and authorize a 'gog' CLI for Gmail — the skill does not declare that requirement; avoid giving Gmail access if you don't trust the code. 2) Inspect and change hardcoded paths (e.g., /Users/jarvis/.openclaw/workspace/memory/daily_signals/) — those will write into a specific user's home / agent workspace and may persist or be uploaded by the platform. Use a safe, explicit data directory you control. 3) Run the code in a sandboxed environment (isolated VM or container) because it performs web requests (t.me, fxtwitter, sogou) and writes local databases. 4) Consider replacing subprocess.run(..., shell=True) with a safer invocation or verify queries are static (newsletter_monitor uses static queries in code). 5) If you will grant Gmail access, review newsletter_monitor.py carefully to confirm only expected data (subject/sender/date) is extracted and that nothing is exfiltrated to external endpoints. 6) If you want to proceed, update SKILL metadata to declare required binaries (gog) and document Gmail credential needs; remove or parameterize absolute file paths so the skill is not implicitly writing into agent memory.

Review Dimensions

Purpose & Capability: noteThe code implements RSS, X (FxTwitter), Telegram scraping, and Gmail newsletter extraction — consistent with the description. However the SKILL metadata declares no required binaries or credentials while the runtime relies on an external 'gog' CLI (Gmail access) and network access to third-party services (t.me, fxtwitter, sogou). The absence of those declared requirements is an inconsistency.
Instruction Scope: concernRuntime instructions and code reference reading Gmail via the gog CLI, scraping external websites, and writing/reading local files. More importantly, daily_signals.py writes and reads JSON from a hardcoded absolute path (/Users/jarvis/.openclaw/workspace/memory/daily_signals/), which is a user-specific and agent-workspace-like location. That path assumption and absolute writes are out-of-scope for a portable skill and could cause privacy/persistence issues.
Install Mechanism: okThere is no install spec (instruction-only with bundled Python code). No network install of arbitrary archives or remote execute at install time was specified. You must pip-install requirements manually; that's expected for a Python project. Risk from install mechanism is low, but running the code will make network requests and write files.
Credentials: concernThe skill requests no env vars/credentials in metadata, yet newsletter_monitor.py requires a configured 'gog' CLI with Gmail access (which implies OAuth credentials or local tokens). The code also writes into a likely agent memory path under a specific user's home, which gives it implicit access to agent/user workspace. Those required secrets and file access are not declared and are disproportionate to what's advertised.
Persistence & Privilege: concernThe skill is not always-enabled and doesn't modify other skills, but it writes persistent state to local SQLite DBs and to a hardcoded agent-memory-like directory (/Users/jarvis/.openclaw/workspace/memory/...). Writing into an OpenClaw-style workspace/memory directory could cause data to be retained by the agent platform; combined with autonomous invocation (default) this increases persistence and blast radius relative to a self-contained script.