Skillv1.0.1

ClawScan security

opsrobot安装配置助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 9:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match an observability/install assistant for an OpenClaw/Doris-based stack, but it asks users to pull and run external Docker images and to enable broad capture of messages/prompts — actions that can expose sensitive data or run unreviewed code.
Guidance: This skill appears to be a legitimate installation/config guide for an observability platform, but it carries two main risks: (1) it tells you to clone and run a GitHub repo with Docker Compose — inspect the repo and docker-compose.yml and review all images before running them (run in an isolated environment if possible); (2) it instructs enabling diagnostics that collect includeMessages/includePrompt/includeSystem = true, which will capture chat messages, prompts, and potentially secrets — only enable this if you trust the endpoint and understand what data will be collected. Verify the otel/Vector endpoints are trusted, review vector.yaml and .openclaw/openclaw.json changes, and avoid enabling broad message capture in production or on systems with sensitive data.

Review Dimensions

Purpose & Capability: okThe name/description (Openclaw observability for Apache Doris) align with the runtime instructions: cloning the opsrobot repo, starting via docker compose, and configuring Vector/otel to send logs/metrics to Doris.
Instruction Scope: concernInstructions tell the user to git clone a GitHub repo and run 'docker compose up -d' (which will pull and run whatever images are in that repo) and to enable diagnostics with includeMessages/includePrompt/includeSystem set to true — this explicitly collects chat messages/system prompts and other potentially sensitive content. The skill also tells the agent to edit .openclaw/openclaw.json and restart gateways; these are broad actions that can expose sensitive data if performed without review and consent.
Install Mechanism: noteNo install spec in the skill package, but the instructions instruct users to fetch and run an external GitHub project via Docker Compose. Running docker-compose from an unreviewed repo can execute arbitrary code and should be reviewed before execution.
Credentials: concernThe skill requests no environment variables, but the configuration it asks to enable (collecting messages, prompts, and system content) is sensitive and may capture secrets or private conversation content. That level of data capture is proportionate to an agent-observability tool only if the user intentionally consents and the destination is trusted.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent platform privileges. It instructs editing the local .openclaw config (its own domain) rather than altering other skills or global agent settings.