Back to skill
Skillv0.2.4
ClawScan security
Skill Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 8:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, requirements, and instructions are consistent with its stated purpose: scraping ClawHub pages and enriching results with VirusTotal data; requested resources and behavior are proportionate and expected.
- Guidance
- This skill appears to do what it says: it scans your local skills' SKILL.md to form ClawHub slugs, loads each ClawHub page in a headless browser (Playwright), extracts security scan summaries, and uses your VirusTotal API key (or ~/.openclaw/.env fallback) to enrich results. Before running: inspect scripts/skill_review.py and suppressions.json yourself (they're bundled), decide whether you are comfortable providing your VIRUSTOTAL_API_KEY (the script will use it to query VT and may cause VT requests tied to your key), and be aware that installing Playwright will download Chromium/brand binaries from upstream. If you don't want network access for a run, don't execute the script — it visits external sites (clawhub.ai and VirusTotal) by design.
Review Dimensions
- Purpose & Capability
- okThe skill says it scrapes ClawHub pages and gathers Security Scan (VirusTotal/OpenClaw) info and runtime requirements for local skills. It requires python3 and VIRUSTOTAL_API_KEY and uses Playwright to render client-side content — all of which are coherent with that goal.
- Instruction Scope
- okRuntime instructions and included script enumerate local skill folders (SKILL.md), derive slugs, visit https://clawhub.ai/<owner>/<slug>, expand page details, and extract Security Scan / Runtime / Comments. The script only reads SKILL.md, optional slug-map, and a local suppressions.json (next to the script or in parent) and may read ~/.openclaw/.env as a fallback for the VT key. It does not attempt to read unrelated system files or credentials.
- Install Mechanism
- noteNo install spec is provided (instruction-only with bundled script). The script depends on Playwright (Python) and therefore the user will likely install the playwright package and download Chromium via 'playwright install chromium' — this downloads a browser binary from upstream, which is expected but worth noting as an external binary download.
- Credentials
- okOnly VIRUSTOTAL_API_KEY is required (declared). The script legitimately uses the VT key to query VirusTotal and implements client-side rate limiting. The only other env-read behavior is a fallback to ~/.openclaw/.env to find the same key; no unrelated secrets or credentials are requested.
- Persistence & Privilege
- okThe skill is user-invocable and not set to always: true. It writes an output markdown to the specified --out path (example /tmp/) and may create Playwright browser artifacts if you install Playwright, but it does not persistently modify other skills or system-wide agent settings.