Skillv1.0.0

ClawScan security

Dynamic Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 9:24 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose (keyword-based tool recommendation), but it includes guidance that could lead to risky gateway modifications and always recommends the exec tool — review and limit any changes before applying.
Guidance: This skill appears to do what it says: keyword-based recommendations for which tools to expose. Before installing or applying its suggestions: 1) Be cautious about following the README's 'gateway-level filtering' advice — it proposes patching OpenClaw distribution files (auth-profiles-*.js). Back up those files and review any code you paste into core bundles. 2) Note that the implementation always includes the 'exec' tool in recommendations; ensure your exec tool is safely sandboxed or disabled if you don't want agents running shell commands. 3) Verify and inspect any external links or code snippets (the README references a GitHub path that looks like a placeholder). 4) If you plan to apply the gateway patch, restrict who can perform that change and test in a non-production environment. If you want a lower-risk approach, use the skill's get_recommended_tools output in your agent logic without modifying core OpenClaw files.

Review Dimensions

Purpose & Capability: okName/description match the implementation: index.js implements keyword-to-tool mapping and exposes get_recommended_tools which returns recommended_tools and a hint. No unrelated env vars, binaries, or credentials are required.
Instruction Scope: concernSKILL.md/README stay within purpose (call get_recommended_tools with the last user message) but also recommend: (1) specific system-prompt rules, and (2) optionally patching the OpenClaw distribution (auth-profiles-*.js) to perform gateway-level filtering. The README's recommendation to patch core gateway files is potentially risky and should be reviewed carefully. Also, the implementation unconditionally includes 'exec' in every recommendation, which may cause the agent to prefer running shell commands; ensure exec tool restrictions/policies are in place.
Install Mechanism: okNo install spec; skill is instruction + small JS module. Nothing is downloaded from external URLs and there are no install-time scripts, so no high-risk installation behavior is present in the package itself.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does not require secrets or unrelated service tokens.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable only. However, README suggests modifying gateway-level code to enforce filtering — that change would grant persistent behavior to the gateway and should be treated as a privileged modification (backup and review recommended).