Skillv1.0.1

ClawScan security

sparker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 9:59 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior (always-on exec, filesystem writes, and optional network publishing) and metadata contain several inconsistencies and privilege-expanding requests that are not clearly justified by the description — review carefully before enabling.
Guidance: This skill is flagged as suspicious because it is designed to be always-on, can execute Node commands, read/write agent config (~/.openclaw) and /tmp, and optionally transmit distilled user data to an external hub. Specific things to consider before installing or enabling: - Do not enable full exec/filesystem/network privileges unless you trust the code and the SparkLand host. Sparker asks agents to run before every task and can collect broad context. - Registry metadata is inconsistent: STP_HUB_URL is listed as required even though SKILL.md/README say the hub is optional. Ask the author why STP_HUB_URL is required. - The package can read ~/.openclaw/openclaw.json and claim to 'inherit' LLM keys — do not let it access host LLM API keys unless you intentionally want the skill to use them. If you must test, run it in a sandboxed environment without sensitive credentials. - The README suggests installing via curl | tar from sparkland.ai — avoid running unknown download-and-extract piped commands. Prefer cloning the repository from a trusted source or auditing the code first. - If you plan to use the hub, never supply account passwords or binding keys through the agent without manual review; prefer manual binding steps and inspect what is saved in ~/.openclaw/sparkhub.json. If you want to proceed safely: review the code (especially transmit/sanitizer and auth modules), run the skill in an isolated container or VM, disable outbound network (or point STP_HUB_URL to a test server), and avoid enabling always-on exec/filesystem tools in your production agent until you’re satisfied with data-sanitization and behavior.

Review Dimensions

Purpose & Capability: concernThe skill claims to be an always-on learning engine (reasonable) and requires Node/exec (expected), but registry metadata lists STP_HUB_URL as a required env var while SKILL.md and README state the hub is optional and the skill can be fully local. The code also reads host OpenClaw configuration (~/.openclaw/openclaw.json) and claims to 'inherit' the host LLM configuration — that broad host-config access is not obviously required for local capture and is not justified in the metadata. Additionally the registry says "No install spec / instruction-only" while the package includes a complete Node CLI implementation (many source files) and README gives a curl download from sparkland.ai — these mixed signals are incoherent.
Instruction Scope: concernSKILL.md instructs the agent to run the Sparker CLI before every task (search), to capture user corrections and write distilled JSON sparks to /tmp and persist them in assets directories, and to read/write ~/.openclaw/sparkhub.json. It requires the agent to read SKILL.md every session and to perform broad behavioral changes (always-on capture). The runtime instructions explicitly allow network transmission to SparkLand for publishing and binding keys; they also instruct the agent to prompt users for credentials (email/password/invite) and to send them to the hub. These instructions grant broad discretionary data collection and transmission beyond a simple helper and could capture sensitive context or credentials.
Install Mechanism: concernThe registry shows no formal install spec, but the package contains full source (index.js, many src/ files) and README recommends fetching a tarball from https://sparkland.ai via curl | tar. Downloading and extracting code from an external domain (sparkland.ai) and running npm install and a Node CLI is higher-risk than an instruction-only skill. The package dependencies include many optional npm packages; nothing obviously malicious in the lockfile, but the recommended curl | tar install from a remote site is an elevated install-risk pattern.
Credentials: concernThe skill requests STP_HUB_URL (declared required in registry) but the SKILL.md says hub is optional; it also documents and reads many STP_* env vars (embedding endpoint/key, binding key, agent name) and can inherit host LLM config from ~/.openclaw/openclaw.json. That means the skill can learn and use the host's LLM/embedding keys or other sensitive config. It also stores a binding key locally and will include it on outbound requests. Requiring or accessing host LLM credentials and agent configuration is disproportionate unless the user explicitly intends networked publishing and trusts the hub.
Persistence & Privilege: concernThe skill is marked always:true in metadata and SKILL.md explicitly demands to be read every session and run pre-task searches. Combined with exec permission, filesystem access (read/write ~/.openclaw, assets directories, /tmp), and optional outbound network to sparkland.ai, this creates a high-privilege, always-present behavior that can collect and transmit data across all user tasks. 'always:true' plus these capabilities significantly increases the blast radius if the skill or the hub is misused.