Skillv1.1.0

ClawScan security

Supermarket · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 12:45 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a Kroger API client that uses a hosted OAuth proxy; nothing in the bundle asks for unrelated credentials or privileges, but you must trust the hosted proxy or self-host it.
Guidance: This skill is internally consistent: the code implements the described Kroger client and a hosted OAuth proxy whose server-side secrets are kept off the agent. The main risk is trusting the hosted proxy at us-central1-krocli.cloudfunctions.net because it holds the Kroger client_id/secret and handles exchanging/refreshing user tokens. If you don't fully trust that remote service, either: (1) self-host the provided Firebase Cloud Functions (source is bundled) and deploy them to your own project so you control the secrets, or (2) use your own Kroger developer credentials via the CLI's local mode (instructions in README). Also review the SKILL.md fully (scanner flagged a base64 block) and double-check that the login link behavior suits you. Note that the CLI may store credentials and optional Telegram tokens under ~/.config/krocli — don't provide Telegram or other tokens unless you trust the destination.
Findings: [base64-block] unexpected: A base64-block pattern was detected inside SKILL.md. The rest of the bundle appears coherent and open-source; the base64 signal may be a benign artifact (e.g., an example or truncated payload) but you should inspect SKILL.md's full content for any encoded instructions or hidden data before trusting the hosted proxy.

Review Dimensions

Purpose & Capability: okThe name/description (product search, locations, cart, profile) match the included code: a CLI and Firebase Cloud Functions that implement client_token and user_token flows, product/location endpoints, and cart/profile calls. No unrelated services or credentials are requested in the skill metadata.
Instruction Scope: noteSKILL.md instructs the agent to use a hosted OAuth proxy endpoints (authorize, tokenClient, tokenUser, tokenRefresh) and to generate session IDs and present a login link for the browser-based OAuth flow. These instructions stay within the stated purpose. The SKILL.md explicitly says the proxy holds client_id/client_secret and that tokens are deleted after retrieval; that behavior is implemented in the provided proxy source. A prompt-injection pattern (base64-block) was detected in SKILL.md — review that section in full to confirm it isn't trying to encode hidden instructions or data (scanner found a base64 block, which often is benign but worth eyeballing).
Install Mechanism: okThere is no install spec (instruction-only skill for runtime); source code is bundled but nothing in the skill will automatically download or execute external binaries. The presence of Firebase function source and a Go CLI is consistent with the documented self-hosting option; no high-risk install URLs or archive extraction are present.
Credentials: noteThe skill declares no required environment variables for agent runtime. The bundled proxy code expects server-side secrets (KROGER_CLIENT_ID and KROGER_CLIENT_SECRET) for the hosted Cloud Functions — this is appropriate for an OAuth proxy, but it means you must trust the operator of us-central1-krocli.cloudfunctions.net. The CLI optionally uses OPENCLAW_BOT_TOKEN / OPENCLAW_CHAT_ID (Telegram) or stores Telegram/credentials locally under ~/.config/krocli; that is proportional to the advertised telegram 'send login link' feature.
Persistence & Privilege: okSkill is not force-included (always: false) and uses normal agent invocation. The CLI code writes user credentials/telegram config to ~/.config/krocli and the proxy writes temporary session documents to Firestore — these are reasonable for the feature set. The tokenUser function deletes the Firestore session after returning tokens, and sessions have a 5-minute TTL as described.