Skillv0.1.0

ClawScan security

Openclaw Tokenapi Qiehuan Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 8:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package generally implements a local WebUI model-switcher, but the documentation and code disagree about how API keys are handled and the backend can write sensitive files and run system commands — review before installing.
Guidance: This package mostly does what a local model-switcher would do, but there are important mismatches and sensitive behaviors you should check before installing: - Do not assume API keys stay only in the browser: the backend endpoints accept API keys and call secure storage/update routines. Inspect backend/secure_config.py to confirm whether API keys are encrypted at rest and how keys are written to ~/.openclaw/agents/.../auth-profiles.json. - Review any restart scripts referenced (tools/restart_gateway.bat, gateway.cmd under ~/.openclaw). Those are executed by the service (subprocess calls and taskkill) and could run arbitrary commands if modified or replaced on disk. - Confirm the server only binds to localhost in your deployment. If it binds to 0.0.0.0 or you run behind a proxy, CORS allow_origins=['*'] may expose endpoints that accept API keys to other hosts. - If you will store real production API keys, test in an isolated environment first (VM/container) to verify where keys end up and whether they are protected. - If you want to proceed, at minimum: (1) inspect secure_config.py to verify encryption, (2) restrict CORS or bind to 127.0.0.1 only, (3) review or replace restart scripts with safe versions, and (4) consider running with least privilege and backups of ~/.openclaw before first run. Because of the documentation/code disagreement about API key handling and the ability to run system commands and write to sensitive config locations, treat this skill as suspicious until you verify those details.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (model switcher + local API Key memory) matches the included frontend and backend code. However SKILL.md states "API Key 仅保存在浏览器 localStorage（本地），不上传到任何服务器" and claims the backend only reads/writes openclaw.json (non-API parts). The backend code (routes and ConfigManager) clearly accepts API keys via API endpoints and calls secure_config.update/save and update_auth_profile — i.e., it persists API keys to disk/agent auth-profiles. That mismatch between README and implementation is a substantive inconsistency.
Instruction Scope: concernRuntime instructions tell the agent to start a local backend and modify ~/.openclaw/openclaw.json and auth-profiles files. The code implements endpoints that write configs and API keys, and a GatewayController that runs system commands (taskkill, spawn gateway.cmd, launch a restart .bat). Those actions go beyond simple in-memory switching: they modify user files and control local processes. That scope is plausible for a gateway manager, but it's sensitive and should be explicit to the user.
Install Mechanism: okNo remote download/install spec is included; the package is local code + static frontend and a pip requirements file. No external arbitrary URL downloads or extract operations were detected. Risk from installation is limited to installing Python dependencies and running the included code.
Credentials: concernThe skill requests no declared environment variables, but it will accept and persist provider API keys via HTTP endpoints and write to user config paths (e.g., ~/.openclaw/openclaw.json and ~/.openclaw/agents/main/agent/auth-profiles.json). Whether keys are encrypted at rest depends on secure_config.py (not shown in the truncated listing). The backend also enables permissive CORS (allow_origins=['*']) which could expose the local API if the server is not strictly bound to localhost — this amplifies risk for stored credentials.
Persistence & Privilege: noteThe skill is not always-enabled and is user-invocable. It does request ability to modify local OpenClaw files and to start/stop local processes via subprocess calls. Autonomous invocation (default allowed) combined with these capabilities increases potential impact, but autonomous invocation alone is not being flagged — it's the combination with file/credential writes and process control that is notable.