Skillv1.0.0

ClawScan security

Claw Health · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:11 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code roughly matches a health/repair utility, but there are mismatches and omissions (undeclared system commands, hidden cloud endpoint/telemetry, prompt-injection markers, and ability to modify system state) that warrant caution before installing.
Guidance: What to check before installing: - Verify the source: the registry lists no homepage and the SKILL.md points to a third‑party GitHub repo; confirm you trust the author/URL (contact email is present but unverified). - Audit the code yourself (install.sh, package.json, all .py files). Pay attention to any network calls (api.clawdoctor.io), install/downloads performed by install.sh, and any code that writes/overwrites files or runs shell commands. - Expect the skill to access and modify local OpenClaw files and system processes (reads logs, edits ~/.openclaw/openclaw.json, deletes large logs, kills/restarts processes). Do not run on a production host without review and backups. - Run in a sandbox or non-production environment first. Monitor outgoing network connections while exercising the tool (to detect unexpected exfiltration). - If you want to use the dashboard, host it locally and inspect dashboard and server scripts for third‑party calls. Remove or disable cloud reporting code (and any hardcoded endpoints) unless you explicitly opt in and supply credentials. - Because the scanner flagged hidden control characters in SKILL.md, fetch the raw files and inspect them for invisible characters or obfuscated instructions. If you lack the ability to audit the code, treat this skill as potentially risky and avoid enabling autonomous invocation or installing it on sensitive systems.
Findings: [unicode-control-chars] unexpected: A prompt-injection detector flagged unicode control characters in SKILL.md. The SKILL.md shown here does not obviously contain visible control characters, so this may indicate hidden characters intended to influence automated reviewers or tools; treat the presence as suspicious and inspect the raw SKILL.md (and files) for invisible/obfuscated content before trusting the package.

Review Dimensions

Purpose & Capability: noteName/description (health monitor + one‑click fix + dashboard) align with the included code: the package contains monitoring, repair, and dashboard files that inspect logs, processes, and config and restart services. However, the registry metadata claims 'instruction-only' and lists no required binaries/env vars while the code clearly calls system tools (curl, pkill, tail, grep, openclaw, launchctl) and touches OpenClaw config/log paths — those runtime requirements are not declared.
Instruction Scope: concernSKILL.md gives simple install and CLI usage but does not enumerate the full scope of runtime actions. The actual code reads local logs (~/.openclaw, /tmp/openclaw), inspects processes, edits/backs up openclaw.json, deletes large logs, terminates and restarts processes/services, and may contact an external API. Those file reads and destructive actions (deleting logs, terminating processes, overwriting config) are broad and impactful; SKILL.md does not explicitly warn or request explicit consent for those.
Install Mechanism: noteRegistry lists no install spec but the bundle includes install.sh, package.json, and multiple Python scripts; SKILL.md suggests git cloning from a GitHub repo. The code bundle is present in the skill payload (so installing the skill will write/contain executable scripts). No remote download URL shorteners were seen, but the mismatch between 'instruction-only' metadata and included code is a packaging/information inconsistency to verify.
Credentials: concernThe skill declares no required environment variables or primary credential, yet code contains a cloud endpoint (CONFIG.api_endpoint = https://api.clawdoctor.io/v1/heartbeat) and api_key/user_id placeholders and imports requests. While sending to cloud is currently commented out in one file, the presence of a hardcoded endpoint and the ability to enable reporting means network exfiltration could be enabled later without declaring credentials. Also the code expects system utilities (openclaw, pkill, curl, launchctl) and access to home-dir config/log paths — sensitive accesses not reflected in declared requirements.
Persistence & Privilege: concernThe skill can modify system state: terminate processes, delete large log files, backup and overwrite openclaw.json, restart gateway services. The skill is allowed to be invoked autonomously (platform default), which increases blast radius if enabled; although 'always' is false, autonomous invocation combined with these privileged actions is riskier than a read‑only monitor and should be considered before granting runtime privileges.