Skillv1.0.1

ClawScan security

ClawDoctor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:15 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The package largely implements an OpenClaw monitor/fixer (consistent with its description) but includes executable scripts that read logs, kill/restart processes, modify configs, and reference a cloud endpoint — it asks for no credentials yet can access and change sensitive local state and potentially exfiltrate data, so it requires caution.
Guidance: Plain-language checklist before installing or running this skill: - Understand what it will do: the package contains runnable agents and a web server that will read OpenClaw logs/configs (~/.openclaw, /tmp/openclaw), stop/kill processes, restart the gateway, edit config files, and delete large logs. Those are powerful, potentially disruptive actions. - Inspect install.sh and server.py locally (do not run them) to see exactly what will be executed. If you are not comfortable reading shell/Python scripts, ask a technical colleague to review them. - Don’t run it as root. Test inside an isolated environment (VM, container, or disposable machine) first so any destructive actions are contained. - Backup OpenClaw config and logs (e.g., copy ~/.openclaw) before allowing fixes to run, so you can restore if something changes unexpectedly. - Check network behavior: the code includes a cloud API endpoint (https://api.clawdoctor.io) and a placeholder for api_key. Unless you trust the upstream service and author, avoid setting API keys or enabling cloud reporting. Monitor outbound network connections while running the tool. - Verify upstream source: SKILL.md references a GitHub repo (github.com/olveww-dot/clawdoctor). Confirm the repo, its commit history, and that the package you install matches that repository. Contact the author for clarification about the cloud endpoint and the unicode-control-chars finding. - If you only want monitoring (no changes), run the read-only scripts (e.g., the _simple agent) in read-only mode and avoid invoking any 'fix' or 'start' actions from the dashboard. If you cannot perform these checks or do not trust the origin, treat the skill as untrusted and avoid installing it on production systems.
Findings: [unicode-control-chars] unexpected: The SKILL.md contained prompt-injection / unicode control character patterns flagged by the scanner. There is no legitimate reason for hidden/unusual unicode control characters in a normal README/SKILL.md; this could indicate an attempt to confuse automated scanners or human reviewers. Treat the file contents as suspicious until cleaned/clarified.

Review Dimensions

Purpose & Capability: concernThe name/description (OpenClaw health monitor & fixer) matches the included code: multiple agent and server scripts, dashboard, and fixer logic. However the SKILL metadata declared no required binaries or env vars while the code clearly calls external tools (curl, tail, grep, pkill, launchctl, openclaw CLI) and reads/writes OpenClaw config/log directories. The omission of required binaries/config declarations is an inconsistency and reduces transparency.
Instruction Scope: concernSKILL.md gives simple install/run instructions and doesn't mention the full runtime actions. The package code goes beyond passive monitoring: it reads many local files (~/.openclaw, /tmp/openclaw, logs), edits configuration (overwrites ~/.openclaw/openclaw.json), kills/terminates processes, restarts services, deletes large logs, and includes a web server/dashboard that triggers actions. Those behaviors are within a 'fixer' scope but are powerful and not fully documented in SKILL.md, granting broad discretion over local system state.
Install Mechanism: concernThe registry entry contains no formal install spec but the package includes an install.sh and multiple executable Python scripts. SKILL.md suggests git cloning from a GitHub repo (a reasonable source) or npx clawhub; install.sh content wasn't shown but is present and could execute arbitrary commands. The lack of an explicit, auditable install step in the skill metadata plus included scripts is a risk because users may run the script without fully reviewing it.
Credentials: concernThe skill declares no required environment variables or credentials, yet the code contains a configurable cloud API endpoint and api_key placeholder (agent.py), imports requests, and has a send_to_cloud function (commented out) — meaning the code is structured to send reports remotely if configured. The package also accesses many local config/log paths and system process state despite no declared need for special credentials. That mismatch (no declared secrets but capacity to read/modify local files and to report externally) is disproportionate and warrants caution.
Persistence & Privilege: notealways:false and no explicit persistent privilege escalation flags are set. Still, the included agents are designed to run continuously and perform system-level actions (process termination, restart, config editing). While not requesting platform-level 'always' privilege, the code can change system state when executed and could be invoked autonomously by an agent runtime — a risk amplified if run with high privileges.