Skillv1.0.0

ClawScan security

Model Tester · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says, but it implicitly requires the 'openclaw' CLI (not declared) and tails cluster logs—behavior that can capture unrelated or sensitive log content—so the mismatch and privacy surface warrant caution.
Guidance: Before installing or running this skill: (1) ensure the 'openclaw' CLI is installed and accessible (the skill did not declare this dependency in metadata), (2) run it in a safe/sandboxed environment because it tails OpenClaw logs which may contain unrelated or sensitive information from your deployment, (3) verify your OpenClaw config/gateway credentials are appropriate for testing (the script will use whatever local config the CLI has), (4) review and, if desired, edit references/test-cases.json so test prompts contain no sensitive data, and (5) consider running a single case with verbose output to confirm the tool only parses the expected model/token fields before using it on broader logs or CI. If you need higher assurance, ask the skill author to (a) declare 'openclaw' as a required binary in metadata, (b) add an option to limit log scope/time window, and (c) avoid reading unrelated log lines or optionally write raw logs only to a user-specified local file for manual review.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (testing agents/models) matches the included code: scripts/model_tester.py runs predefined prompts and checks routing via OpenClaw logs. However, the SKILL metadata declares no required binaries while the code clearly requires the 'openclaw' CLI (used for both 'openclaw logs --follow --json' and 'openclaw agent ...'). This undeclared dependency is an incoherence and should be fixed/verified before install. The code also implicitly requires that the user has a valid OpenClaw configuration (gateway/credentials) available to the 'openclaw' binary.
Instruction Scope: concernThe runtime instructions and the script explicitly tail OpenClaw logs and run 'openclaw agent' subprocesses. The SKILL.md asserts only structured fields are captured and no user data is sent to models, which the script mostly enforces by using fixed test prompts. However, tailing logs with '--follow' collects arbitrary log lines from the OpenClaw runtime and the script inspects those lines with regexes — that can inadvertently match or expose other log content. The tool does not transmit logs externally, but it reads them and includes parsed tokens/model fields in output; if logs contain unexpected sensitive fields, parsing may capture them. The instruction text is otherwise scoped to the testing task and does not ask for additional unrelated files or env vars.
Install Mechanism: noteThere is no install spec (instruction-only plus a script file). That is low-risk in that nothing is downloaded or executed at install time, but the packaged script will execute subprocesses at runtime. No external archives or network installers are used.
Credentials: noteThe skill declares no required environment variables or credentials, which is reasonable. However, it relies on the local 'openclaw' CLI and therefore implicitly on whatever credentials/config the user's OpenClaw installation uses (gateway keys, local config). That implicit access is proportional to the tool's purpose but should be understood by the user: running this script will cause the agent/CLI to execute and may read the user's OpenClaw config.
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and does not modify other skills or system settings. It runs as a normal, user-invoked tool and does not autonomously enable itself or persist new credentials.