Skillv1.1.0

ClawScan security

Dev Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 9:14 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions request multiple credentials and instruct downloading/running external components (including spawning subprocesses and auto-publishing code) that are not reflected in the registry metadata — the pieces are inconsistent and warrant caution before installing.
Guidance: This skill bundles a large Python codebase and runtime instructions that: (1) ask you to create/copy a .env with API keys (GitHub, Notion, GLM), (2) clone and run external services (ChatDev/chatdev-v2) from an external GitHub repo, (3) run subprocesses and can auto-modify and push code to GitHub, and (4) schedule recurring jobs. Before installing or running it: - Do not provide high-privilege tokens. Instead create minimally-scoped machine/service tokens (GitHub machine user with only repo/create/push scopes needed) and a Notion token limited to a single database. - Inspect the code locally (especially builder/correction/fixer.py, integration/github_publisher.py, ACP_TEST_PLAN.md) to confirm what will be executed and what is published. - Avoid running 'git clone' or starting services from untrusted external repositories; prefer to inspect/verify that external repo first. - Run the skill in an isolated environment (VM or container) without access to sensitive networks or credentials until you are confident. - If you expect more assurance, ask the publisher for a homepage, source provenance, or a reproducible package release (not an arbitrary git clone) and request the registry metadata be updated to list the required environment variables. Installing without these precautions could expose your tokens, allow code to be pushed publicly, or enable automated production runs that you didn't intend.
Findings: [SUBPROCESS_EXEC] expected: Multiple files and the ACP_TEST_PLAN include subprocess.run and CLI invocations (openclaw, agent-browser, gh, chatdev server). For a build/orchestration agent this is expected, but it allows arbitrary local command execution so review is required. [GIT_CLONE_EXTERNAL_REPO] unexpected: SKILL.md instructs cloning an external GitHub repo (https://github.com/rebugui/OpenClaw.git). Pulling external code at runtime is a high-risk install path and is not reflected in registry metadata. [CREDENTIALS_USAGE] expected: The skill requests GITHUB_TOKEN, NOTION_API_KEY, GLM_API_KEY etc in SKILL.md. These are necessary for GitHub/Notion/LLM integration, but the registry metadata lists no required env vars — an inconsistency that could hide credential requirements. [AUTOMATIC_PUBLISH] expected: Code and docs include GitHub auto-publishing (gh repo create, git push, release creation). That behavior is expected for a publishing agent but means the skill can publish code remotely if given tokens.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and included source implement discovery (GitHub, NVD, news), auto-building, self-correction, and GitHub/Notion integration — which matches the description — but the registry metadata declares no required environment variables or credentials while the SKILL.md requires GLM_API_KEY, GITHUB_TOKEN, NOTION_API_KEY, NOTION_DATABASE_ID and other values. That mismatch (declared none vs. instructions requiring secrets) is an incoherence and risk signal.
Instruction Scope: concernRuntime instructions tell the agent/user to clone an external GitHub repo, run a local ChatDev server, copy a .env with secrets, run discovery/build scripts, and schedule cron jobs. The bundle's files show use of subprocess/CLI calls, sessions_spawn-like execution, automatic code modification (fixer logic), and automatic GitHub publishing — actions that read/write files, execute local commands, and send data to third-party endpoints beyond a single API. These steps go beyond a small helper and grant broad discretion to modify and publish code.
Install Mechanism: concernThere is no official install spec in the registry, but SKILL.md instructs git cloning https://github.com/rebugui/OpenClaw.git and starting local services (chatdev-v2). Cloning an external repository at install/run time is a high-risk download path because it pulls code from an external source not validated by the registry. The skill package itself contains many code files (not instruction-only), increasing the attack surface.
Credentials: concernThe SKILL.md requests multiple credentials (GLM API key, GLM_BASE_URL, GITHUB_TOKEN, GITHUB_USERNAME, NOTION_API_KEY, NOTION_DATABASE_ID, CHATDEV_URL). Those are individually reasonable for the claimed integrations, but the registry lists none — this divergence is unexpected. The skill also references other engine tokens (Claude/Codex) in docs and supports spawning external agents, so the actual credential needs may be broader than documented.
Persistence & Privilege: notealways:false (good). However the skill includes cron config examples and scripts to register periodic discovery/build jobs and to auto-publish to GitHub, and its code can run subprocesses and spawn other agents (sessions_spawn). Autonomous invocation combined with the ability to modify/push code and use multiple credentials increases blast radius — not problematic by itself, but important for user caution.