Skillv1.1.0

ClawScan security

Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 2:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (persistent Mark protocol storage) aligns with the tools it uses, but the runtime instructions require running a remote install script (curl | bash), reading system token files (possibly with sudo), and registering a bridge binary — these install-and-token behaviors are disproportionate and warrant caution.
Guidance: This skill appears to do what it says (connect to a Mark server and store versioned markdown), but it asks you to run a remote install script and to read token files (including /etc/* with sudo on Linux). Before installing, do at least one of the following: - Inspect the install script at the GitHub URL yourself (do not run it blindly) and verify it does only what you expect. - Prefer configuring a remote server: provide your own server URL and a write token you control instead of letting an installer produce system-wide tokens. - Avoid running curl | bash directly; download the script, review it, and run it in a constrained environment (container, VM) or with least privilege. - Confirm whether the token stored at /etc/demarkus is necessary for your use; prefer per-user tokens (~/.demarkus) to avoid exposing system-scoped secrets. - If you must install mcporter via npx/npm, review that package (and its version) before execution. If you are not comfortable auditing the installer or exposing a token file under /etc, do not install this skill on a machine containing sensitive credentials.

Review Dimensions

Purpose & Capability: noteName/description (persistent memory via mark://) matches the required binaries (mcporter or npx, curl, bash) and the token files. However, the declared required config paths include both a user token file (~/.demarkus/initial-token.txt) and a system token file (/etc/demarkus/initial-token.txt) which is unusual: the instructions use one or the other depending on OS, but listing both as required is imprecise and could cause the agent to assume access to a system-wide secret unnecessarily.
Instruction Scope: concernSKILL.md instructs running a remote installer via curl piped to bash from a GitHub raw URL and to read token files (using sudo on Linux) into shell variables, then call demarkus token add and mcporter config add. These steps read and transmit a sensitive token and execute arbitrary code fetched at runtime. The instructions also recommend resolving tokens into a 'token store' but explicitly show the agent reading files and using sudo, which expands the skill's access to system-level secrets.
Install Mechanism: concernThe primary install path is 'curl -fsSL https://raw.githubusercontent.com/latebit-io/demarkus/main/install.sh | bash' (remote script executed directly). While the host is GitHub (well-known), piping a remote script into bash is high-risk because it runs arbitrary code on the machine. The fallback/alternate install is an npm-style package (mcporter) which also pulls code from a package registry; both are reasonable for developer tooling but increase attack surface compared with instruction-only skills.
Credentials: concernNo environment variables are declared, but the skill expects and directs access to sensitive config files that contain initial tokens. Reading /etc/demarkus/initial-token.txt (with sudo) is elevated access and may expose system-scoped tokens unrelated to the agent. The skill does not declare any minimal credential scope or clearly explain why system-level token access is required rather than only per-user tokens.
Persistence & Privilege: noteThe skill is not force-enabled (always: false) and allows normal autonomous invocation. It instructs registering an mcporter config entry in the user's home scope and storing tokens in a token store — these are expected for a client/daemon integration. There is no indication it modifies other skills or global agent settings, but the installer writes files and registers binaries on the host which is persistent behavior and should be reviewed before running.