Skillv1.0.0

ClawScan security

status-web · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 3:40 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package mostly matches a local monitoring UI but contains several incoherences and risky behaviors (missing files / broken start script, hard‑coded system paths, exec of OpenClaw CLI, and an unauthenticated 'hidden' chat endpoint that can invoke the agent), so proceed only after fixes and review.
Guidance: Key things to consider before installing: 1) The package's files contain hardcoded paths (/home/admin/openclaw/workspace), expect an 'openclaw' CLI, and will exec shell commands — it needs privileges to read agent memory and run the agent CLI. 2) Several inconsistencies exist: the SKILL.md/start instructions reference different script names/paths than provided (start.sh vs start-server.sh; server.js location), and the module get-scheduled-tasks-simple is required by server.js but not included — the package appears incomplete or mispackaged. 3) The POST /api/chat endpoint can forward messages to the OpenClaw agent using a hardcoded mainSessionId after a simple magic-string check; there is no real authentication. If you expose this server to a network, an attacker who discovers the endpoint or magic phrase could interact with the agent. 4) Recommended actions: run this only in an isolated environment (container or VM), do not bind to 0.0.0.0 on public interfaces, require/implement proper authentication for /api/chat, review and fix path/script mismatches (ensure start script points to the correct server.js and included modules exist), remove or harden any ability to exec the OpenClaw CLI from web-exposed endpoints, and audit the memory files the code will read to confirm no sensitive data is exposed. If you cannot verify or fix these issues, treat the package as untrusted and do not run it on production agents.

Review Dimensions

Purpose & Capability: concernThe description is a simple status/monitoring web UI, which would reasonably read local status and maybe call OpenClaw APIs. However the shipped code expects to execute the OpenClaw CLI (execSync('openclaw ...')), read files under /home/admin/openclaw/workspace/memory, and relies on additional modules (get-scheduled-tasks-simple) that are referenced but not present. The skill declares no required binaries or env vars despite depending on the openclaw CLI and a specific filesystem layout—this mismatch is incoherent.
Instruction Scope: concernRuntime instructions and scripts attempt to read agent memory files, call a local OpenClaw HTTP endpoint (update-cache.sh calls http://localhost:18789/api/status), and execute OpenClaw CLI commands. The POST /api/chat endpoint, when given a special activation phrase (or unlocked=true), runs `openclaw agent --session-id <hardcoded-id> --message ...` via shell exec and returns the result. That effectively provides a remote-to-agent relay with only a magic-string check (no proper auth). SKILL.md startup instructions reference start.sh and server.js at top-level, but the repository uses different filenames/paths, creating further mismatch.
Install Mechanism: okThere is no external install/download step (instruction-only install spec), so no remote code is fetched during install. The risk here comes from the included files themselves (they will run on the host), but there are no URLs/archives to flag.
Credentials: concernThe skill requests no environment variables or credentials, yet the code accesses sensitive local paths (/home/admin/openclaw/workspace and its memory files), expects the 'openclaw' CLI to be present, and calls localhost:18789. For a simple UI this access could be reasonable, but the lack of explicit declared requirements (binaries, config paths, or auth requirements) is disproportionate and hides the true privileges the skill needs.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. However, it opens a local web server exposing an unauthenticated chat API that can invoke the agent CLI (with a hardcoded main session id). That increases blast radius if the server is reachable — you should treat the service as potentially able to influence the agent at runtime and restrict network exposure and authentication accordingly.