Skillv1.0.0

ClawScan security

PLC Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 6, 2026, 9:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (PLC engineering and vendor-aware guidance) matches its files and runtime instructions; it requests no secrets, has no install actions in the package, and its behavior is consistent with the description.
Guidance: This skill appears internally consistent and does not request secrets or perform installs itself, but remember: 1) it provides engineering advice for safety-critical PLC systems — do not treat outputs as guaranteed safe for field deployment without review, vendor/model confirmation, and testing in a simulation or staging environment; 2) confirm the 'openclaw' binary you run is the official OpenClaw runtime; 3) when installing via the suggested ClawHub/npm flow, review what the ClawHub CLI will download and its permissions; and 4) avoid letting any automation using this skill make direct live changes to PLC hardware without human oversight and proper change-control procedures.

Review Dimensions

Purpose & Capability: okThe name/description (PLC development, review, debugging, vendor routing) aligns with the included SKILL.md and the large set of vendor/common reference files and templates. The only declared external requirement is the 'openclaw' binary which is appropriate for an OpenClaw skill.
Instruction Scope: okSKILL.md confines runtime behavior to reading bundled references, routing by vendor cues, and applying templates; it does not instruct the agent to read unrelated system files, exfiltrate data, or call unexpected external endpoints. Install/usage docs simply show how users can add the skill to tools and point at local paths.
Install Mechanism: okThis is an instruction-only skill with no install spec in the package. INSTALL.md recommends using a separate ClawHub CLI (npm) or git clone — standard user-facing installation instructions, not an embedded download or opaque remote fetch in the skill itself.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. All required resources are local documentation files and a single expected platform binary ('openclaw'), which is proportionate to the stated purpose.
Persistence & Privilege: okFlags show 'always: false' and the skill is user-invocable; there is no request for permanent elevated presence or modification of other skills or system-wide settings. Autonomous invocation is allowed by platform default but not combined with other red flags here.