SkillSentryOpenClaw's Always‑On Security Cop
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could believe their OpenClaw install was scanned and found clean when the panel only simulated that result.
The Scan button only waits and then displays a clean result; it does not call audit.sh or inspect real scan output, despite the skill presenting the panel as the recommended security workflow.
log('Running audit.sh...'); setTimeout(() => { log('PI hits: 0 malicious'); log('Gateway: Safe'); document.getElementById('status').innerHTML = 'Status: 🟢 CLEAN'; }, 2000);Do not rely on the panel's clean status. Run the included audit.sh directly and review the JSON output, or require a real panel implementation that executes the audit and displays actual results.
The report may omit the user's real OpenClaw memory and skill files, creating false confidence from an incomplete scan.
The scan defaults to a specific hardcoded user path and silently skips nonexistent paths, so it may not inspect the install it claims to audit unless WORKDIR is set correctly.
WORKDIR="${WORKDIR:-/Users/BillyAssist/clawd}" ... SCAN_PATHS=("$WORKDIR/memory" "$WORKDIR/skills" )Set WORKDIR explicitly to the intended OpenClaw install and add warnings or failures when expected scan paths are missing.
Setup may fail, or a user may later need extra unreviewed code to make the documented UI/config features work.
The documented panel-server and config scripts are referenced by the skill but are not present in the supplied file manifest, so that workflow cannot be verified from the provided artifacts.
node scripts/panel-server.js ... node scripts/config.js get ... node scripts/config.js set Scan_freq daily alerts telegram sensitivity high
Treat the package as incomplete unless those helper files are supplied and reviewed; avoid running substitute scripts from untrusted sources.
Private memory, prompts, or skill text that matches the patterns could appear in report output or logs.
The audit scans local memory and skill files and includes matching lines in the JSON report, which is appropriate for prompt-injection detection but may capture sensitive local content.
SCAN_PATHS=("$WORKDIR/memory" "$WORKDIR/skills" ) ... "prompt_injection_hits": [l for l in read_file(os.environ["PI_SCAN_FILE"]).splitlines() if l.strip()]Keep reports local, review them before sharing, and ensure the scan paths are limited to the intended OpenClaw directories.
If enabled, the audit may continue running periodically after initial setup.
The skill documents periodic cron execution, which is a persistence mechanism, but it is disclosed as a user-chosen security-audit cadence.
Cron setup: Schedule `scripts/audit.sh` at the chosen cadence.
Only create a cron entry you understand, log output to a controlled location, and remove the cron entry when you no longer want recurring scans.
The audit will inspect local OpenClaw status and listening localhost services when run.
The script runs local status commands and an optional localhost port scan; these are purpose-aligned for a local security audit and do not show external scanning.
(openclaw status || true) ... (openclaw gateway status || true) ... (nmap -Pn -p 1-1024 127.0.0.1 || true)
Run it only on systems you control and review the generated report for local service details before sharing it.