Skillv1.1.0

ClawScan security

ClawHub技能探索工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 6:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill claims to be a skill-discovery tool but the package contains automation scripts that modify local configs, auto-publish the skill, and include a hard-coded ClawHub token—behaviour that is not justified by the high-level description.
Guidance: This package is not clearly malicious but contains unexpected automation and an embedded credential. Before installing or running anything: 1) Do not execute scripts untrusted—review each .py file line-by-line. 2) Remove or rotate the hard-coded token immediately; treat it as compromised if ever used. 3) Ask the author why the skill needs automated publish/optimization scripts and why credentials are embedded instead of using environment variables. 4) If you must test, run in an isolated sandbox or container and do not grant it access to your real ~/.openclaw workspace or production ClawHub credentials. 5) Consider rejecting or editing the package to remove auto-publish behavior and to require explicit, documented credentials via env vars before approving it for use.
Findings: [hardcoded_token_in_code] unexpected: scripts/optimization_script.py contains a hard-coded ClawHub token string (clh_bbGajvH2n5moZ28O8z9n6SF57meUTQ6xGuiYtQ5UX1I). A simple skill-discovery tool should not embed platform credentials in code; credentials should be external and declared. [writes_absolute_user_paths] unexpected: Multiple scripts reference and write to absolute user-specific paths under /Users/sunyanguang/.openclaw/workspace/custom-skills/... which is surprising for a general-purpose skill and could modify user data/config without clear consent.

Review Dimensions

Purpose & Capability: concernThe name/description say this is a discovery/navigation tool, which would normally only need APIs to list and search skills. The bundle contains multiple automation scripts (optimize/publish/upgrade) that modify local config files, attempt to publish the skill, and schedule nightly optimization. Those self-promotion/self-publishing capabilities are not mentioned in SKILL.md and are out of scope for a pure explorer tool.
Instruction Scope: concernSKILL.md provides only usage and high-level architecture, but the repository includes scripts that run system commands (curl, clawhub publish), edit files under a specific user's home path, and contain an LLM-driven optimization workflow and a scheduled-nightly plan. The runtime instructions in SKILL.md do not disclose or justify these file-modifying and publish actions, so the actual runtime surface is broader than documented.
Install Mechanism: noteThere is no install spec (instruction-only), which limits automatic code execution on install. However, code files are present in the bundle; installing or running them on the host would execute subprocess commands. The lack of an explicit install step means these scripts will not auto-run on install, but they can be executed by an agent or by a user with command-line access.
Credentials: concernThe package declares no required credentials, but scripts contain a hard-coded ClawHub token and reference absolute user home paths (/Users/sunyanguang/.openclaw/...). Embedding a secret in-repo and relying on user-home-specific paths is disproportionate to a search/browse skill and is unexpected and unsafe.
Persistence & Privilege: concernThe skill is not marked always:true, but repository files (JOURNAL.md, STATE.md, RUNBOOK.md, and scripts) explicitly plan a nightly 2:00am automated optimization/publish job and create or edit files under the user's .openclaw workspace. That implies persistent scheduled activity outside the documented runtime and could lead to repeated automated actions on the host if the scripts are run or scheduled by the user/agent.