Skillv0.3.0

ClawScan security

ClawPulse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 7:09 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level purpose (push aggregate agent stats) is plausible, but the runtime instructions ask the agent to access and persist a GitHub token and to read local session files while the registry metadata omits that credential requirement — these mismatches and persistence behaviors warrant caution and manual review before installing.
Guidance: Before installing or enabling this skill: (1) Inspect the npm package and GitHub repo (openclaw-pulse) source code to confirm what exact fields are read from your session files and how data is sanitized; (2) Do NOT allow the agent to auto-extract your existing `gh` CLI token — prefer the interactive device-flow login (Option A) or create a dedicated GitHub token with the minimal scopes required and rotate it after testing; (3) Verify that the JSONL session files truly exclude message content and sensitive tool arguments; (4) Consider running the CLI in an isolated environment or container and avoid installing it globally until you audit it; (5) If you proceed, monitor the ~/.clawpulse/config.json and cron jobs, and consider limiting the token scope and lifetime. The primary red flags are the undeclared GitHub credential requirement and persistent scheduled pushes — both should be addressed before trusting this skill with real credentials or production data.

Review Dimensions

Purpose & Capability: noteName/description (push aggregate token stats to ClawPulse) aligns with the actions described (collect session stats and send to clawpulse.vercel.app). Required binaries (node, npx) are reasonable for installing/running an npm CLI. However, the registry metadata declares no required credentials while the SKILL.md explicitly requires a GitHub token for authentication, which is an inconsistency between declared needs and actual instructions.
Instruction Scope: concernThe SKILL.md tells the agent to read session data from ~/.openclaw/agents/main/sessions/*.jsonl and to push aggregates externally. It also includes an agent-side path for persisting credentials (~/.clawpulse/config.json) and provides an Option B that programmatically extracts a GitHub token via `gh auth token`. The file reads and credential access are within the general claimed purpose but are sensitive operations; the skill asserts 'no message content is ever collected' but gives no verifiable sampling or sanitization steps, so the claim cannot be audited from these instructions alone.
Install Mechanism: noteNo formal install spec is embedded in the registry, but SKILL.md instructs users to `npm install -g openclaw-pulse`. Installing from the public npm registry is a common pattern (moderate risk); there is a listed npm package and GitHub repo to inspect. There is no download from obscure URLs or extract-from-archive instructions.
Credentials: concernThe skill effectively requires a GitHub token to authenticate pushes, but the registry metadata lists no required environment variables or primary credential. Option B suggests programmatically extracting a token from the `gh` CLI and writing it to disk, which can expose a broad-scoped credential. Requesting/storing a personal GitHub token is sensitive and should be declared explicitly; the current omission is a mismatch and a privacy/privilege concern.
Persistence & Privilege: concernThe skill instructs creating recurring OpenClaw cron jobs to run `clawpulse push --silent` twice daily and persisting a GitHub token under ~/.clawpulse/config.json. While not using always:true, the combination of scheduled autonomous pushes plus stored credentials creates ongoing exfiltration capability if the client or package behaves differently than claimed. This persistence increases risk and warrants review of the package implementation and cron registration steps.