Skillv0.2.0

ClawScan security

QuantumOS · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 6:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (clones a dashboard repo, installs deps, and wires it to the local OpenClaw gateway), but it also instructs you to modify agent/workspace behavior (append automatic task-triage instructions) and touches user config files — these actions expand its scope and deserve extra review before installing.
Guidance: Read before running. Recommendations: - Inspect the GitHub repository (https://github.com/murtiurti4/quantumos.git) yourself before running setup.sh; confirm code matches expectations and review package.json/package-lock for risky dependencies. - Backup HEARTBEAT.md (and any workspace config) before making changes. Do not blindly append the automatic triage block — review and restrict the instructions (remove/limit the "start working on it" automatic behavior) or run triage manually until you trust the setup. - The setup script will try to read your OpenClaw config (~/.openclaw/openclaw.json) to auto-detect gateway.token and will write that token into the project's .env.local; consider entering a scoped/temporary token, or edit .env.local manually instead of letting the script write it. - Run npm install in a controlled environment (or inspect dependencies), and consider running the server in a container or VM first rather than on a host with sensitive data. - Be cautious about allowing any agent automatic task execution that could perform actions on your systems; prefer manual confirmation or tight guardrails. - If you are unsure, mark this skill as 'suspicious' and request the upstream repo source and code review from a trusted developer before installing.
Findings: [no_regex_findings] expected: Static pre-scan reported no pattern matches. The included setup.sh performs a git clone of a GitHub repo and npm install — these are expected for an installer and are consistent with the skill's purpose.

Review Dimensions

Purpose & Capability: noteThe skill's code and instructions align with its stated purpose: setup.sh clones a Next.js dashboard repo, installs npm deps, creates data dirs, and wires in the OpenClaw gateway token. That behavior is expected for an "install and manage dashboard" skill. However, the SKILL.md also instructs adding an automated triage block to HEARTBEAT.md (agent/workspace behavior), which is arguably beyond a pure UI install and changes runtime agent behavior.
Instruction Scope: concernSKILL.md tells the user to append a block to HEARTBEAT.md that directs an agent to periodically GET localhost:3005/api/mission-control/tasks and automatically 'generate a proper title', set status to in_progress, and 'start working on it' — this grants broad, autonomous task-processing instructions. The setup script also reads ~/.openclaw/openclaw.json to auto-detect a gateway.token and writes an .env.local with that token. Reading/writing the user's OpenClaw config and modifying workspace behavioral files expands the skill's scope beyond installing a dashboard and could cause agents to act without finer-grained constraints.
Install Mechanism: noteThis is an instruction-only skill with a bundled setup.sh that clones a GitHub repository (https://github.com/murtiurti4/quantumos.git) and runs npm install. Cloning a public GitHub repo and installing npm deps is expected for this purpose, but npm install will bring third-party packages (normal risk). There is no opaque remote binary download or URL shortener in the install script.
Credentials: noteThe skill declares no required env vars but the script reads ~/.openclaw/openclaw.json to auto-detect gateway.token and writes OPENCLAW_GATEWAY_TOKEN and OPENCLAW_GATEWAY_PORT into the project's .env.local. It also creates files under ~/.openclaw/mission-control and ~/.openclaw/dashboard-data. These are relevant to the dashboard but would ideally be documented as required config access because they involve reading a local credential and writing data into the user's OpenClaw folder. The SKILL.md also suggests optionally adding an XAI_API_KEY for X feeds.
Persistence & Privilege: concernalways:false and normal autonomous invocation are fine. The main concern is the instruction to append an automated triage block to HEARTBEAT.md (workspace/agent instructions). That is a modification to agent/workspace behavior and could give agents broad autonomous powers to start work on tasks. The skill does not itself force-enable persistent system-wide privileges, but it instructs the user to alter files that affect agent runtime behavior.