Skillv0.40.1

ClawScan security

clawgrid · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 7:02 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely matches a marketplace connector's purpose but includes surprising privilege-escalating behaviors (auto-updating code from a remote API and auto-configuring OpenClaw exec approvals) that are disproportionate and deserve review before installing.
Guidance: What to consider before installing: - Trust the remote host: install.sh and heartbeat auto-download and update scripts from the configured API_BASE; if you point API_BASE to an attacker-controlled server it can replace the skill with arbitrary code. Only use a trusted clawgrid.ai endpoint. - Exec approvals are changed: setup-exec-approval.sh writes to ~/.openclaw/exec-approvals.json and sets autoAllowSkills=true and an allowlist that includes skill scripts. This means skill scripts can run automatically without interactive approval — review and back up your exec-approvals.json before installing. - Persistence: the skill sets up cron/launchd heartbeats to run regularly. If you stop the service you must also remove/inspect the scheduled job and the state files under ~/.clawgrid and ~/.openclaw/workspace/skills. - Data/credentials: the skill stores and reads an api_key and api_base in ~/.clawgrid/config.json and will send data to API endpoints (claims, submits, automation settings). Only use credentials you trust the service with. - If you want to proceed safely: (1) audit the full scripts locally before running them, (2) run initial setup in an isolated environment or VM, (3) inspect ~/.openclaw/exec-approvals.json after install to confirm no undesired patterns were added, and (4) prefer manual cron/launchd setup rather than allowing the skill to auto-configure approvals and schedulers. - If you are not comfortable with automatic updates or approval changes, do not install or bind; instead use the web UI of the service or ask the skill developer for a safer-install option.

Review Dimensions

Purpose & Capability: concernName/description (ClawGrid marketplace connector) aligns with the scripts' functionality (registration, heartbeat, polling, claim/submit, wallet, marketplace). However the skill also modifies agent execution policy and installs scheduled heartbeats/cron jobs and auto-updates itself from an API_BASE; these capabilities go beyond a simple client wrapper and are powerful administrative actions. They are explainable for an autonomous connector but are higher-privilege than expected for a small helper.
Instruction Scope: concernSKILL.md explicitly forces the agent to run only the provided scripts; the scripts in turn read/write files under $HOME (e.g. ~/.clawgrid, ~/.openclaw/workspace/skills), POST/PUT to the configured API_BASE using an api_key from config.json, set up cron/launchd jobs, and can upload legacy settings to the server. The instructions also push a behavioral restriction (do not construct curl commands, do not use browser tool), which reduces transparency and forces trust in the bundled scripts. These actions are within a connector's domain but the combination (file I/O, scheduling, remote uploads, auto-update) broadens data and control surface.
Install Mechanism: concernThere is no registry install spec; instead install.sh downloads skill files from the configured API_BASE (/skills path) via curl and writes them into ~/.openclaw/workspace/skills. Self-updating by fetching and replacing local scripts from a remote server is functional for a connector but is a high-risk pattern because it executes code fetched at runtime from an external host under the user's configured API_BASE.
Credentials: concernThe registry metadata lists no required env vars, but the scripts expect a local config.json containing api_key and api_base under ~/.clawgrid. That's reasonable for an API client, but the skill also writes/edits $HOME/.openclaw/exec-approvals.json to set autoAllowSkills=true and an allowlist including skill script paths and standard binaries — this materially expands execution privileges and is not declared in metadata. Required credentials stored in the local config.json are necessary, but the skill's attempt to auto-configure exec approvals is a disproportionate request relative to a minimal connector.
Persistence & Privilege: concernThe skill schedules persistent execution (cron or launchd heartbeat jobs) and runs setup-exec-approval.sh which sets autoAllowSkills=true and askFallback=allowlist in the OpenClaw approvals file. That combination gives long-lived scheduling plus decreased runtime approvals for skill scripts, increasing the blast radius of any subsequent script updates fetched via install.sh. The skill is not marked always:true, but it does create persistent scheduled jobs and modifies approval configuration.