Skillv1.0.0

ClawScan security

V2rayn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 5:22 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The instructions and required actions line up with the stated purpose (managing a local V2RayN client on macOS); nothing requested is disproportionate or appears designed to exfiltrate data.
Guidance: This skill appears coherent for managing a local macOS V2RayN client, but take these precautions before installing/running the suggested script: 1) Inspect the check_v2rayn.sh contents yourself — it reads your V2RayN config file (which may contain server addresses and credentials) and writes a log under $HOME/.openclaw/logs. 2) If you enable the cron job, create the log directory with restrictive permissions (chmod 700) to avoid exposing logs to other local users. 3) Prefer using macOS-native scheduling (launchd) if you want better control and visibility than cron. 4) Do not run the script as root; run it as your user. 5) If you are uncomfortable with automatic reads of your config file, perform the checks manually instead. Overall, the skill is consistent with its stated purpose, but the user is responsible for safely creating the script and the scheduled job.

Review Dimensions

Purpose & Capability: okThe skill's name and description (manage V2RayN: list nodes, test connections, auto-failover) match the operations in SKILL.md: reading V2RayN config files, testing proxy ports with curl, inspecting logs, and restarting the app. No unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteThe runtime instructions read user V2RayN configuration (~/Library/Application Support/v2rayN/guiConfigs/guiNConfig.json) and log files, perform network requests (curl) through local proxies, and suggest creating a cron job that writes to $HOME/.openclaw/logs/v2rayn_check.log. Reading the V2RayN config is expected for node listing/failover, but that file can contain server details/credentials — this is consistent with the stated purpose, though it means the script will access sensitive connection configuration and store health-check logs locally.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing is downloaded or written by an installer; the user (or agent) would create a local script and cron job. This is the lowest-risk install model.
Credentials: okNo environment variables, credentials, or unrelated config paths are requested. The instructions reference only the V2RayN config/log directories and $HOME for logs, which is proportionate to managing a local client.
Persistence & Privilege: notePersistence is optional and user-driven: the guide suggests creating a cron job to run a local check script every 30 minutes. The skill does not request elevated privileges, system-wide changes, or always:true. Users should be aware that scheduling the job creates an ongoing local task that will read configs and write logs.