ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawket

v1.0.1

Generate QR codes for Clawket mobile app to pair with the local OpenClaw Gateway. Use when user mentions: Clawket pairing, login Clawket, QR code, mobile app...

0· 370·0 current·0 all-time
byCavano@p697
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state: generate QR for Clawket pairing. The script reads ~/.openclaw/openclaw.json to extract gateway auth token and port, detects LAN IP, and produces a PNG + ASCII QR. These actions are expected and proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs running the provided script which explicitly reads the raw auth token from ~/.openclaw/openclaw.json (bypassing any redaction) and instructs the agent to send the generated PNG via the message tool. This is necessary for pairing but means a secret token will be written to disk, printed to stdout, and potentially transmitted — the instructions do not require or instruct redaction.
Install Mechanism
No external install/unpack occurs; the skill is instruction-only plus a local script. It depends on qrencode (standard package) and provides sensible installation hints. No downloads from untrusted URLs or archive extraction are present.
Credentials
No environment variables or unrelated credentials are requested. The script reads a local config file to retrieve a gateway auth token — this is expected for the task but is sensitive. The token is embedded in the QR and printed unredacted.
Persistence & Privilege
always:false and no modifications to other skills or system-wide settings. The script writes output to ~/.openclaw/media (a local app directory), which is appropriate for its purpose and does not request elevated privileges.
Assessment
This skill appears to do exactly what it says, but it will read your local OpenClaw auth token and embed it in a QR image (and print it to the terminal). Before installing/using it: 1) Confirm you want the token exported into ~/.openclaw/media/clawket-qr.png and possibly transmitted via chat/message; 2) Run the script locally yourself rather than giving a remote agent permission to run it, if you prefer tighter control; 3) Share the resulting QR only with the intended device/user and consider deleting the PNG afterward; 4) If the token is sensitive, consider rotating/revoking it after pairing or using an ephemeral pairing token if available; 5) If you plan to let the agent send the PNG on your behalf, understand that message logs or the agent's channels could store the token — only proceed if you trust the destination.

Like a lobster shell, security has layers — review code before you run it.

latestvk9730yqqz384q4700yq3bszn4x81yt3y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments