Skillv2.3.1

ClawScan security

Mission Control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 4:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (a Kanban dashboard + webhook transform) but it reads/writes local agent config and credentials and contains a webhook transform that will run on your machine with lax HMAC behavior if misconfigured — several design choices are unexpected and worth review before installing.
Guidance: What to check before installing: - Review the webhook transform (assets/transforms/github-mission-control.mjs) yourself. It will be copied to ~/.clawdbot/hooks-transforms and will receive GitHub push webhooks. Ensure you trust the code that will be executed on webhook events. - Ensure a webhook secret is configured before enabling the transform. The transform's verifyHmac() will skip HMAC validation when the secret file is absent (it returns true), which would accept unauthenticated webhooks — set up and verify the secret file path in config before exposing the endpoint. - Be aware the transform reads local GH CLI config (~/.config/gh/hosts.yml) to obtain tokens. If you do not want the skill to access your GitHub tokens, do not allow it to be installed or provide an alternative read-restricted token. - The agent will create/modify files under ~/.clawdbot and the workspace, and documentation shows modifying the global hooks mapping. Back up your existing ~/.clawdbot configuration before installation and inspect any changes the agent proposes. - Limit exposure: if possible, test in an isolated environment (throwaway workspace and throwaway GitHub repo) and use scoped tokens. Only provide Slack/GitHub/gateway tokens you are willing to expose to the skill's runtime. - If multiple users can edit the dashboard (multi-user setup), treat all task content as untrusted input and configure agent sandboxing/permissions accordingly. If you want, I can list the exact lines in the transform and scripts that read secrets or change global config and explain mitigation steps for each.

Review Dimensions

Purpose & Capability: noteName and description match the included files: a dashboard, CLI helper, and a GitHub webhook transform that wakes an agent. The included scripts and transform are generally coherent with the stated purpose (install UI, copy files, set webhook, wake agents).
Instruction Scope: concernSKILL.md instructs the agent to copy files into your workspace and into ~/.clawdbot/hooks-transforms, create ~/.clawdbot/mission-control.json, set up GitHub webhooks, enable Pages and configure Tailscale Funnel. That requires reading/writing local config and modifying the global hooks mapping (affecting gateway/hook behavior). Installing a transform that will receive external webhooks and wake agents is within scope but expands the agent's runtime surface significantly and touches other agent/global configs.
Install Mechanism: okThis is an instruction-only skill with no external download/install spec. All code is bundled in the skill and would be copied by the agent; there are no external URLs or archive downloads in the install spec.
Credentials: noteThe feature legitimately needs GitHub tokens, a gateway hook token, and optional Slack tokens; these are surfaced in example configs. However the skill does not declare required env vars even though the transform will read environment variables and local files (e.g., gh CLI hosts.yml, ~/.clawdbot/clawdbot.json, ~/.clawdbot/secrets/github-webhook-secret). Reading the gh CLI token and other local secrets is functional but sensitive and not called out as a required permission in metadata.
Persistence & Privilege: concernThe agent will create and modify files under ~/.clawdbot and in the chosen workspace and will copy a transform into the global hooks-transforms directory; that can alter global webhook handling for the Clawdbot/OpenClaw gateway. 'always' is false, but the transform is persistent and receives external requests. The skill may therefore change behavior of other hooks/tools if the agent edits ~/.clawdbot/clawdbot.json or similar global config (examples/docs show instructions to add hook mappings).