Skillv1.0.0

ClawScan security

skill-router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 5:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (routing and chaining other skills) matches its instructions, but the runtime instructions ask the agent to execute arbitrary per-skill scripts and to skip full-skill inspection (frontmatter-only scanning), which increases the risk of executing hidden or dangerous behavior and is not declared in the skill metadata.
Guidance: This skill is an orchestrator and is coherent with that purpose, but it asks the agent to execute other skills' run scripts and to only scan frontmatter (not full skill bodies). Before installing, consider: (1) Do you trust every skill already present in your workspace? Any skill with a run.sh could execute arbitrary commands when routed. (2) Ask the publisher to explicitly declare required config paths (workspace/events/memory) and to provide guardrails: require explicit approvals for side-effecting actions (git push, deploy, email/post), validate or sandbox run scripts, and perform full SKILL.md/code inspection rather than frontmatter-only. (3) Prefer testing the router in an isolated environment (non-production workspace) and enable verbose logging/audit trail and an allowlist of skills it may execute. If you can't verify those mitigations, treat this skill as higher risk and avoid making it the universal gateway.

Review Dimensions

Purpose & Capability: concernThe name/description (skill-router) aligns with orchestrating other skills, but the SKILL.md explicitly instructs reading files under $HOME/.openclaw/workspace and executing skills/*/run.sh. The registry metadata declares no required config paths or workspace access, so the skill's runtime expectations (file system access to workspace and executing per-skill scripts) are not reflected in the declared requirements — an incoherence.
Instruction Scope: concernThe instructions tell the agent to: (1) scan only SKILL.md frontmatter (skip full body), (2) execute arbitrary scripts (bash $WORKSPACE/skills/{name}/run.sh), (3) write/read events/ files for chaining, and (4) auto-trigger subsequent skills. Skipping full-body reads weakens inspection and can hide malicious details. Direct execution of other skills' run scripts without additional validation/authorization grants this skill broad discretion to run arbitrary code and to chain side-effecting operations.
Install Mechanism: okInstruction-only skill with no install spec, no downloads, and no declared binaries — minimal install risk. Nothing is written to disk by an installer here (the instructions themselves describe writing events at runtime).
Credentials: noteThe skill declares no required env vars or credentials (consistent with being an orchestrator). However, the runtime instructions assume access to $HOME/.openclaw/workspace, events/, and memory/ paths even though no config paths were declared. That implicit filesystem access should be declared and justified.
Persistence & Privilege: concernalways:false and no explicit persistent install is good, but the skill is intended as a 'first gateway' and to be used on every request. Its instructions enable autonomous invocation of many other skills (including running their scripts and auto-trigger rules), which increases blast radius. The skill also recommends token-saving heuristics that intentionally avoid full inspection of skills — combining broad autonomous invocation with reduced inspection is risky.