Back to skill
Skillv1.0.0
ClawScan security
Openclaw Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 3:39 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a coherent, instruction-only reference for creating OpenClaw plugins, but it explicitly teaches how to produce high‑privilege plugins (in‑process Gateway code, config writes, subagent spawns, publishing flows) — that capability increases risk and requires careful human review before using any generated artifacts.
- Guidance
- This skill is a legitimate, detailed authoring reference for building OpenClaw plugins — but it also teaches how to build high‑privilege artifacts that run inside the Gateway and can change config or make network calls. Before installing or using any plugin code produced by this skill: 1) Always review the generated source and manifest line-by-line (do not auto-install generated plugins). 2) Never provide secrets (GitHub, ClawHub, API keys) to the agent; perform publishing and credential operations manually. 3) Test generated plugins in a sandboxed instance or isolated environment. 4) Prefer explicit human approval before enabling or writing to gateway config; consider disabling autonomous installs or restricting agent privileges. 5) If you allow the agent to scaffold a plugin, require a separate review/CI step that runs linting/tests and a security check before enabling it in production.
Review Dimensions
- Purpose & Capability
- okThe name and description match the content: the SKILL.md and reference files are a comprehensive authoring guide for OpenClaw plugins (manifests, entry points, channel/provider examples, testing). It does not request unrelated credentials or binaries and does not try to hide other capabilities, so the declared purpose aligns with what it provides.
- Instruction Scope
- concernThe instructions go beyond scaffolding templates: they include examples that call heavy runtime APIs (api.runtime.*) such as writing OpenClaw config, spawning subagents, and registering tools/channels/providers that run in‑process. The skill claims 'no background network requests' but the examples show patterns (provider baseUrls, token exchange hooks, subagent spawn) that, when implemented and executed as a plugin, will perform network I/O and can access secrets. Because plugins run as trusted, in‑process code with Gateway access, these instructions enable creation of artifacts that can change system behavior and exfiltrate data if misused.
- Install Mechanism
- okInstruction-only skill with no install spec and no code executed at install time. Nothing is downloaded or written by the skill itself, which minimizes installer-level risk.
- Credentials
- noteThe skill itself requests no environment variables or credentials. However its examples and manifest templates reference provider auth env vars and secrets (e.g., API keys, channel bot tokens). That is expected for a plugin authoring guide, but users must be careful: generated plugins will typically ask for/require credentials to operate, so the skill indirectly guides creation of artifacts that request sensitive env vars.
- Persistence & Privilege
- concernAlthough the skill does not set always:true or modify other skills, it explicitly documents how to create plugins that run in‑process with 'full Gateway access' and how to write OpenClaw config (api.runtime.config.writeConfigFile). That means a plugin produced following these instructions can persist configuration, enable/disable plugins, register new tools/providers, and spawn subagents. Combined with the platform's normal autonomous invocation, this creates a high blast radius if generated code is installed or executed without review.