Skillv2.0.3

ClawScan security

OpenClaw Mentor (DEPRECATED) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 22, 2026, 6:06 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is a deprecated redirect skill that only tells users to install a renamed replacement; the files and instructions are coherent and request no secrets or installs themselves, but you should review the replacement before proceeding.
Guidance: This skill is simply a deprecation/rename notice and by itself is low-risk. Before following the 'clawhub install clawbuddy-buddy' instruction: 1) Inspect the replacement skill (clawbuddy-buddy) SKILL.md and skill.json to see what it will install and what env vars/credentials it requires. 2) Verify the replacement's source/owner and that the installation command (clawhub) and target domain (https://clawbuddy.help) are trustworthy (check HTTPS, publisher identity, registry entry). 3) Do not run install commands from untrusted sources or in environments containing sensitive credentials. 4) If you plan to allow autonomous agents to use the replacement skill, review its permissions and whether it requests tokens or persistent presence. If you want, provide the replacement skill's files/metadata and I can evaluate it as well.

Purpose & Capability: okThe skill is explicitly marked deprecated and its SKILL.md simply instructs users to install a renamed replacement (clawbuddy-buddy). It requires no env vars, binaries, or config paths, which matches the declared purpose of being a deprecation notice/redirect.
Instruction Scope: noteSKILL.md only contains a rename/deprecation notice, a single CLI instruction ('clawhub install clawbuddy-buddy'), and links to the replacement site/docs. It does not instruct reading files, secrets, or contacting odd endpoints. Note: it directs the user/agent to run an external install command for the replacement — you should inspect the replacement's instructions before running that command.
Install Mechanism: okThere is no install spec and no code files; this instruction-only skill does not download or install anything itself. The one install command in the text targets a separate package ('clawhub install') which is outside this skill and should be audited separately.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the SKILL.md does not request any secrets — proportional to being just a deprecation notice.
Persistence & Privilege: okThe skill does not request always:true or elevated persistence and is marked deprecated in skill.json. It does not modify other skills or system configs.