OpenClaw Security Analysis

The skill's code and runtime instructions match its stated purpose (local code scanning, dependency checking, and secret detection); there are minor documentation mismatches and one implementation detail worth reviewing before use.

This skill appears to do what it says: local static scans, dependency checks, and secret detection. Before installing or running it on sensitive repositories: 1) Review the full scripts/main.py (the provided snippet was truncated) to confirm there are no network calls or exfiltration paths. 2) Note the tool will read project files (including .env) to find secrets—run it in a safe/test environment if you are worried about exposing keys. 3) The code will optionally import a 'c-support' library from a relative parent path if present; ensure you trust any c-support/ code in your repo because it would be executed. 4) The SKILL.md references other files (scanner.py, rules/) that are not bundled—confirm you have the intended rule set if you expect C/C++ scanning. If you want higher assurance, run the script in an isolated environment and inspect the remainder of the code for network or subprocess usage before granting it broad autonomous access.