Skillv1.0.0

ClawScan security

Dawang · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 6:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a local workspace/agent bundle, but it contains hard-coded tokens, plaintext credentials and scripts that modify other agents' configs and session stores — capabilities that are broader and more sensitive than the SKILL.md claims.
Guidance: This package appears to be a full local workspace with automation scripts, but several red flags exist: it contains hard-coded tokens (gateway token in scripts/compact_session.py), plaintext Feishu app credentials in memory files, cookie/session dumps, and scripts that edit agent.json and copy sessions between agents. These actions can expose or move sensitive data and change other agents' state. Do not install or run this skill on a production machine or with real credentials unless you: (1) audit and remove or rotate any hard-coded secrets, (2) review and sandbox or disable scripts that modify /Users/<user>/.openclaw/agents/* and sessions, (3) ensure Feishu/third-party credentials are provided via environment variables or secure vaults rather than left in files, and (4) run the code in an isolated test environment first. If you trust the author and need the functionality, at minimum remove or rotate embedded tokens and thoroughly review fix-* and compact_session scripts before use.
Findings: [base64-block] unexpected: The pre-scan flagged a base64-block pattern inside SKILL.md content as a potential prompt-injection pattern. The visible SKILL.md is short; this flag indicates the package may contain embedded data or injection-style content worth reviewing.

Review Dimensions

Purpose & Capability: concernName/description (workspace config & skill index) matches many files that are local workspace tooling (cron, heartbeat, scrapers, feeders). However the bundle also includes utilities that directly manipulate other agent state/config (fix-agent-sessions.js, fix-sessions-complete.js), a WebSocket client that uses a hard-coded gateway auth token, and many exported data files (cookies, user data, phone/email). Some of these capabilities (editing agent.json across agents, direct gateway access) go beyond a simple 'index/config' description.
Instruction Scope: concernThe SKILL.md text is minimal and benign, but the included files instruct or implement actions that read local config and secrets (feishu token lookups, reading ~/.openclaw config files, local cookies), connect to the local gateway (ws://127.0.0.1:18789) with a hard-coded token, and perform session migration/copying between agent directories. The runtime instructions in code access local files and modify agent configs/sessions not referenced in SKILL.md.
Install Mechanism: noteNo external install/download mechanism is declared (instruction-only install), so nothing is pulled from remote during install. However the published bundle already contains many executable scripts and data files — installing this skill will place those files on disk and could grant them local execution when invoked.
Credentials: concernRegistry metadata declares no required env vars, but multiple scripts expect or try to read secrets: FEISHU_APP_ID/FEISHU_APP_SECRET (and memory files contain plaintext Feishu app id/secret), a hard-coded gateway TOKEN is present in scripts/compact_session.py, and there are cookie/session files with session tokens for external sites (dianping). The skill therefore packages and uses multiple sensitive credentials without declaring or justifying them in SKILL.md.
Persistence & Privilege: concernThe bundle contains scripts that modify other agents' configuration and session directories (fix-agent-sessions.js updates agent.json and sessions for multiple agents). While always:false and model invocation allowed are normal, these scripts have the ability to change system-wide agent state and copy session data across agents — a high-privilege action that should be explicitly documented and justified.