Skillv1.0.1

ClawScan security

claude-review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 8:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly what it says (a wrapper that runs the claude CLI to review files), but there are multiple inconsistencies and permission-related risks you should understand before installing.
Guidance: This skill is basically a wrapper that calls your local 'claude' CLI to perform a file-based review and then optionally appends failed items to a LESSONS.md in your home workspace. Before installing or enabling it: 1) Confirm you have the claude CLI and a Claude API key, and understand where that key is stored (the skill metadata does not declare it). 2) Inspect the script (review-work.sh) yourself — it uses --dangerously-skip-permissions and asks the model to read ALL files under the provided context path, so avoid passing broad paths (like ~ or /) that could expose unrelated files. 3) Be aware it will create/append to LESSONS.md by default at ~/.openclaw/workspace/LESSONS.md (or the path in LESSONS_FILE); if you don't want persistent logs, set LESSONS_FILE to a location you control or remove the auto-log block. 4) The SKILL.md claims the agent will auto-determine arguments, but the script requires explicit task/context; confirm how your agent integration will populate those args. 5) If you plan to use this in production or with sensitive data, test it in a sandbox and consider removing or modifying the --dangerously-skip-permissions flag or tightening the allowed tool usage before trusting it with private files.
Findings: [system-prompt-override] expected: The skill appends a system prompt to the Claude invocation to instruct the reviewer. Appending a system prompt is expected for controlling a reviewer, but the pattern is a recognized prompt-injection indicator and combined with --dangerously-skip-permissions it increases risk; review the prompt text and the CLI flags carefully.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (run an independent Claude-based review) matches the included script. However the SKILL.md repeatedly asserts the agent should 'determine all arguments yourself — the user does NOT need to specify them', while the shipped review-work.sh requires an explicit task summary and --context path. The SKILL.md also references a required Claude API key but the registry metadata does not declare any required env var or credential — a mismatch between claimed needs and declared requirements.
Instruction Scope: concernThe runtime instructions and script ask Claude to read all files at the provided path (and optionally a skill SKILL.md and LESSONS.md). That is coherent for a reviewer, but the SKILL.md also contains a system-level reviewer prompt which is appended to the model invocation and a pre-scan flagged 'system-prompt-override' pattern was detected. The script uses claude with --tools 'Read,Glob,Grep' and instructs the model to 'Read ALL files', which can expose arbitrary user files under the provided path; combined with the appended system prompt and the --dangerously-skip-permissions flag (used in the script), this elevates the risk that the reviewer will access sensitive data if the context path is broad or mis-specified.
Install Mechanism: okNo install spec; this is an instruction-only skill plus a single shell script. Nothing is downloaded or written by an installer. Risk from install mechanism itself is low.
Credentials: concernThe skill requires a working Claude CLI with a valid API key, and the SKILL.md documents LESSONS_FILE override via LESSONS_FILE env var and optionally SKILLS_DIR. Yet the registry metadata lists no required environment variables or primary credential. The need for a Claude API key is not declared in the metadata, so the skill is under-declared and could mislead users about credential requirements.
Persistence & Privilege: notealways:false (good). The script writes to a LESSONS.md in the user's home workspace (default ~/.openclaw/workspace/LESSONS.md) when reviews fail — persistent storage of review failures is intentional for the feature. This is not an escalation of platform privileges, but it does create persistent files in the user's home and may aggregate review results; users should confirm they are comfortable with that path and its contents.