Skill Review
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its advertised scraping/reporting purpose, but it can automatically relabel Suspicious or Malicious scan results as Acknowledged using bundled suppressions that are not disclosed in SKILL.md.
Before installing, inspect suppressions.json and verify important findings directly on ClawHub/VirusTotal/OpenClaw, because the generated report may show some Suspicious or Malicious results as Acknowledged. Use a limited VirusTotal API key and install Playwright in an isolated environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A report may make serious scanner findings look already accepted or less urgent, which could cause a user to miss issues that deserve review.
The security-reporting tool can alter scanner verdict labels for matching skills. Because SKILL.md does not disclose this suppression behavior, users may think they are seeing the raw ClawHub/VirusTotal/OpenClaw result when they are seeing an adjusted status.
A slug with any suppression entry will have its corresponding scanner status changed to "Acknowledged" in output (instead of Suspicious/Malicious).
Make suppressions explicit and opt-in, document them in SKILL.md, and show both the original scanner status and the suppression reason in the report.
The skill can access your VirusTotal API key if it is in the environment or ~/.openclaw/.env.
The script uses a VirusTotal credential and can read it from either the environment or a local OpenClaw .env file. This is aligned with VirusTotal report lookup, but it is still credential access.
def _load_vt_api_key() -> str | None:
"""Load VirusTotal API key from env or ~/.openclaw/.env."""
key = os.environ.get("VIRUSTOTAL_API_KEY")Use a limited VirusTotal key, avoid sharing logs that might contain environment details, and document the ~/.openclaw/.env fallback in the skill metadata/instructions.
Installing the dependencies adds external code and browser binaries to the local environment.
The skill instructs users to install Playwright and Chromium if missing. This is expected for a browser-rendered ClawHub scraper, but it depends on external package/browser downloads without pinning in the provided artifact.
python3 -m pip install playwright python3 -m playwright install chromium
Install in a virtual environment from trusted package sources, and consider pinning Playwright/Chromium versions for repeatable review runs.