Skillv1.0.0

ClawScan security

A2a Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 6:40 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated agent/Notion/Discord management purpose, but there are mismatches and omissions (Notion credential access not declared, Discord operations are simulated/local-only, and several scripts read/write and delete files under your home workspace), so review before installing or grant only in an isolated environment.
Guidance: Read this before installing or running: (1) The package will create and remove files under your home directory (~/.openclaw/workspace) including agent workspaces and logs — run it in an isolated environment or backup that directory first. (2) Notion integration requires a Notion API key (it looks for ~/.config/notion/api_key or NOTION_API_KEY) but that credential was not declared in the registry metadata — do not supply secrets until you confirm the code and trust the author. (3) Discord management is simulated locally (writes a local discord_config.json) rather than using the Discord API; if you expect the skill to act on your Discord server you should verify it actually uses a Discord token and the official API. (4) The code contains some clear bugs (e.g., malformed assignment in task_board.create_task) — expect runtime errors; review the full source before use. (5) If you need to proceed: run the scripts in a throwaway account/container, inspect and, if desired, modify the code to require and validate explicit env vars and to avoid destructive delete() calls without confirmation. If you can, ask the author to: declare required env vars in metadata (NOTION_API_KEY), document exactly which filesystem paths it will write, and clarify whether Discord operations will ever call the real Discord API and require a Discord token.
Findings: [no_findings] unexpected: Static pre-scan reported no regex matches, but the code nevertheless accesses sensitive locations (Notion API key file ~/.config/notion/api_key or env NOTION_API_KEY) and performs filesystem writes/deletes under ~/.openclaw/workspace. Absence of regex hits does not mean there are no security-relevant behaviors.

Review Dimensions

Purpose & Capability: concernThe skill claims full Discord channel/role management but the provided discord_manager simulates operations by writing a local config file rather than calling the Discord API (no Discord token is requested). Conversely, the Notion integration does call the Notion API but the skill registry metadata did not declare any required credential (NOTION_API_KEY or ~/.config/notion/api_key). The file-based agent workspace creation/deletion behavior aligns with the 'create agent' purpose, but the mismatch around Discord & Notion credentials is incoherent and surprising for a user who expects direct Discord changes.
Instruction Scope: concernRuntime instructions (and the code) read and write many files under the user's home directory (~/.openclaw/workspace and ~/.config/notion/api_key), create and delete agent workspaces, spawn 'specialists' as JSON files and can remove them, and produce logs. These file operations are within the claimed domain, but the SKILL.md did not call out that it will create/delete files and potentially remove agent workspaces. Also some code paths (Notion API calls) require a secret key the SKILL.md doesn't declare. There are also apparent coding bugs (e.g., malformed assignment in task_board.create_task) which could cause runtime failures.
Install Mechanism: okThere is no install spec — this is instruction+code only and nothing is downloaded or executed automatically on install. That lowers installation risk; however the included Python scripts will run on the host with access to user files if invoked.
Credentials: concernThe code attempts to read a Notion API key from ~/.config/notion/api_key or the NOTION_API_KEY environment variable but the skill's manifest did not declare this requirement. No Discord token is requested even though the skill claims Discord management (the code purposely simulates Discord actions). Requesting/using a Notion API key is reasonable for Notion integration, but the omission from declared requirements is a red flag and should be surfaced to users before granting secrets.
Persistence & Privilege: okThe skill does not request persistent platform privileges (always: false). It persists its own state under ~/.openclaw/workspace (log files, configs, agent workspaces, specialist JSON files), which is normal for a manager tool but means it will leave files on disk. It does include delete routines (delete_agent, dispose_specialist) that can remove those workspace directories — expected for this kind of skill but destructive to on-disk agent workspaces if used.