Skillv1.0.2

ClawScan security

anydocs - Generic Documentation Indexing & Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:26 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (index and search docs), but there are mismatches between the security claims in the docs and the actual code (notably around browser rendering, sitemap/fetch URL validation, and how gateway tokens are used), so review and limit any gateway tokens before installing.
Guidance: This skill largely does what it claims, but review these important points before installing or supplying secrets: - Gateway token safety: Only provide OPENCLAW_GATEWAY_TOKEN if you trust the gateway endpoint. Prefer running a local gateway (default http://127.0.0.1:18789). Do not set gateway_url to an untrusted remote host while supplying a token — that will forward your token to that host. - Verify site scope: The code allows fetching an arbitrary full URL via the 'fetch' command and will include any <loc> entries from sitemaps without strict domain filtering. If you will index internal or sensitive documentation, make sure profiles' sitemap/base_url entries are correct and review discovered URLs before enabling browser rendering. - HTTPS and browser rendering: The README claims browser rendering rejects HTTP, but the code only enforces HTTPS in some code paths. If you need to prevent rendering of HTTP hosts, add an explicit validation or avoid use_browser/playwright for HTTP targets. - Use a virtual environment: setup.sh recommends and enables a venv — follow that to avoid system-wide package changes. - Minimize token exposure: Load gateway tokens from environment variables (not command-line args or version control), and remove tokens from environment when not needed. - If you need higher assurance, request the missing code changes: (1) enforce domain checks on sitemap URLs, (2) forbid fetch of full external URLs unless explicitly allowed, and (3) enforce HTTPS for all browser-rendering paths or document the exact exceptions. Given these inconsistencies, treat the skill as suspicious (likely well-intentioned but with security oversights) and remediate the above before using with sensitive credentials or internal docs.
Findings: [no_findings] expected: Static pre-scan injection signals: none detected. That does not remove the runtime concerns identified by reading the code (URL validation and gateway token usage).

Review Dimensions

Purpose & Capability: okName/description match the code: this is a documentation indexing/search tool that scrapes sites, caches pages, and builds a local search index. The included modules (scraper, indexer, cache, config) are proportionate to that purpose.
Instruction Scope: concernSKILL.md and README claim strict protections for browser rendering (HTTPS-only, no arbitrary URL injection). The code does not fully enforce those claims: (1) fetch command accepts arbitrary full URLs (if path starts with http) allowing fetching pages outside a configured profile; (2) sitemap parsing will include any <loc> entries without verifying they match base_url before scheduling scraping; (3) the HTTPS restriction for browser rendering is only enforced when use_browser AND gateway_token are both provided — local Playwright usage (or gateway usage without token) can render HTTP URLs. These gaps make it possible to direct the browser tool (or HTTP fetches) at URLs outside the intended profile, and could expose an OpenClaw gateway token to a remote gateway if gateway_url is set to a non-local host.
Install Mechanism: okNo remote download/install spec is present; dependencies are local and pinned in requirements.txt. Optional Playwright usage may require running 'playwright install' (downloads browser binaries) but that's an explicit, local action. setup.sh encourages venv usage. No alarming remote URLs or extract/install-from-URL steps were found.
Credentials: noteThe skill optionally reads OPENCLAW_GATEWAY_TOKEN from the environment to authorize requests to an OpenClaw gateway for browser rendering. That is reasonable for its claimed gateway integration, but the manifest/metadata did not declare required env vars and SKILL.md assumes users will provide the token. Because the gateway token is a powerful secret, the code paths that post it to gateway_url (which can be overridden via CLI) should be treated carefully—sending a token to a remote gateway_url would leak it. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, does not alter other skills, and stores config/cache under ~/.anydocs which is consistent with its function. It requires normal user-level filesystem access to store profiles and caches.