Skillv1.0.0

ClawScan security

TBOT Controller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:13 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code matches its stated purpose (controlling a local TBOT runtime and generating webhooks) but it reads runtime .env/.keyfile data, accesses many environment variables not declared in metadata, and will perform network POSTs — these behaviors are coherent with the feature set but widen the skill's data and network surface and should be reviewed before installing.
Guidance: This skill appears to do what it says: discover a local TBOT runtime, read DBs (read-only by default), manage services (docker/systemd) only after explicit confirmation, and generate/send TradingView-style webhook JSON. Before installing: 1) Review the included scripts yourself — they will search for and read .env and .keyfile in candidate runtime folders (these can contain broker/webhook secrets). 2) Understand that tbotjson.py will perform HTTP POSTs to the configured webhook URL (default localhost, but user-supplied values are allowed) — do not point it at unknown remote endpoints or supply secret keys you don't want transmitted. 3) Note that many environment variables are used by the scripts though not declared as 'required' in metadata; consider storing sensitive values securely and limit where .env/.keyfile live. 4) Test in a safe environment (local VM or dev machine) with RUN_IT unset to confirm read-only behavior; only set --run-it or RUN_IT=1 when you intentionally want mutating control. If you lack confidence, ask for the author's provenance or run the skill code in isolation first.

Review Dimensions

Purpose & Capability: noteThe name/description align with the included files: discovery, DB-read helpers, lifecycle control (docker/systemd), and webhook JSON generation. The brew install of 'uv' and the bash entrypoint are consistent with running the packaged Python scripts. Generating and sending webhook JSON to TBOT is explicitly implemented in scripts/tbotjson.py and matches the declared 'json' mode.
Instruction Scope: concernSKILL.md requires OpenClaw to invoke only the provided bash entrypoint and to run discovery before control actions; the scripts follow that contract. However the runtime instructions and scripts perform filesystem discovery (search candidate runtime dirs, read .env and .keyfile), run subprocesses (docker, systemctl), read local SQLite DBs, and tbotjson.py will ALWAYS POST generated JSON to a webhook URL (which may be overridden). The SKILL.md states 'DB-first, discovery only for status/control' but tbotjson.py performs discovery to locate webhook keys — a minor inconsistency that expands the skill's read-surface. Overall the instructions are feature-coherent but grant broad discretion to read files and make network calls when used.
Install Mechanism: noteInstallation uses a single brew formula 'uv' which is the documented runtime helper for this skill. Using Homebrew for a known package is low-to-moderate risk; nothing in the install spec downloads arbitrary archives or writes unexpected files. The skill expects the 'uv' binary to exist and will instruct users to 'brew install uv' if missing.
Credentials: concernThe registry metadata lists no required env vars, but the SKILL.md and code reference and rely on many environment variables (MODE, COMPOSE_DIR, TBOT_COMPOSE_DIR, TBOT_WEBHOOK_URL, WEBHOOK_KEY, TVWB_UNIQUE_KEY, TBOT_DB_PATH / TBOT_DB_OFFICE, RUN_IT, SYSTEMD_USER, DEFAULT_*). The scripts will read .env and .keyfile files to obtain webhook keys and other runtime secrets. While these env/file accesses are explainable given the purpose, they are not declared in 'requires.env' and mean the skill can read local secret-bearing files and potentially transmit values to a webhook endpoint.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent system-wide privileges. It does run subprocesses and may start/stop services only with explicit confirmation (--run-it or RUN_IT=1). It doesn't modify other skills or system-wide agent settings. Autonomous invocation (disable-model-invocation=false) is normal platform behavior and not by itself a red flag here.