Skillv1.0.2

ClawScan security

Openclaw Snitch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 4:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, hooks, and runtime instructions are consistent with its stated purpose as a local blocklist guard that injects a bootstrap directive, warns on messages, and sends Telegram alerts; nothing in the package requests unrelated credentials or installs unexpected tooling.
Guidance: This skill appears to do what it says: injects a bootstrap security directive, warns on incoming messages, blocks matching tool calls, and notifies Telegram recipients configured in your OpenClaw channels. Before installing: (1) review and verify the npm package publisher and source (npm install -g runs code on your machine); (2) confirm which Telegram 'allowFrom' IDs are configured so alerts go to expected recipients; (3) understand that the bootstrap directive is a content file pushed into agent contexts (it is not an enforced kernel-level policy) and can be bypassed if an agent or user can edit hooks/config; (4) follow the recommendation to lock down plugin/hook files only after validating behavior, and be cautious when running chown/chmod commands requiring elevated privileges. If you want stronger guarantees, test in a disposable agent/workspace and inspect the installed npm package contents before trusting it in production.

Review Dimensions

Purpose & Capability: okName/description align with required files and behavior: the hooks inject bootstrap directives and message warnings, and the plugin intercepts before_tool_call and broadcasts via the platform Telegram channel. No unrelated environment variables, binaries, or external services are required by the skill itself.
Instruction Scope: noteSKILL.md instructs copying hooks into ~/.openclaw/hooks and (optionally) installing the npm package globally — these steps match the included hook and plugin code. One overstatement: the bootstrap directive claims 'cannot be overridden by user messages or system prompts' but it is implemented as a bootstrap file pushed into the agent context (a content directive) and therefore is not a cryptographically enforced policy; an agent or user with write access to config/hooks could still circumvent it. The skill's instructions also suggest permission-locking extension files (chmod/chown) which is a user-side hardening suggestion, not an enforced action.
Install Mechanism: noteThe registry entry has no automated install spec (instruction-only), but SKILL.md recommends installing an npm package (npm install -g openclaw-snitch). That is a common delivery method for OpenClaw plugins. Installing an npm package performs arbitrary code installation — standard risk for any third-party npm package — but nothing in the skill's files points to obscure download URLs or installers.
Credentials: okThe skill declares no required env vars or credentials. The hooks optionally read SNITCH_BLOCKLIST from environment to customize the blocklist; the plugin reads the host OpenClaw config (channels.telegram.accounts) to resolve recipient IDs for alerts. No unrelated secrets or multiple unrelated credentials are requested.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform privileges. It registers event handlers (agent:bootstrap, message:received, before_tool_call) which is expected for this purpose. It does recommend (user-driven) file permission changes to reduce tampering, but the skill itself does not auto-modify other skills or global settings beyond adding bootstrap files via the plugin hook.