Claw-lint
PassAudited by ClawScan on May 1, 2026.
Overview
Claw-lint appears to be a coherent local OpenClaw skill scanner, with no artifact-backed evidence of exfiltration, persistence, or destructive behavior.
This looks reasonable for a local static scanner. Limit --root to skill directories you want audited, avoid sharing full inventory output if paths or hashes are sensitive, and treat its risk score as a linting signal rather than a complete malware guarantee.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool can read and report on installed skill files, and a user-supplied --root can expand that scope; full or JSON output may reveal paths, sizes, modes, flags, and hashes.
The scanner enumerates and scans local skill files, and optionally hashes them, which is expected for a local security linter but means it processes local file contents and metadata.
ROOTS=("$HOME/.openclaw/workspace/skills" "$HOME/.openclaw/skills") ... find . -type f ... scan_text_file ... sha256sumRun it only against directories you intend to audit, and review full/JSON output before sharing it outside your machine or CI system.
You have less external provenance to verify the maintainer or project history, even though the provided artifacts do not show malicious behavior.
The artifacts include the shell script, but the registry does not provide an upstream project or homepage for independent provenance verification.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Inspect the included shell script before relying on it for security decisions, especially in automated CI/CD use.