ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

security-sweep

v1.1.2

Security scanner for OpenClaw skills and plugins. Scans for hardcoded secrets, dangerous exec patterns, dependency vulnerabilities, and network egress. Use w...

0· 102·0 current·0 all-time
by@rhombusmaximus
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the included scripts: the code is a scanner for hardcoded secrets, exec/eval patterns, npm audit and network egress. That capability is coherent with the stated purpose. However the skill advertises an optional 'auto-encrypt to Notion' feature and references a local helper (notion-secrets.js) and NOTION_MASTER_PASSWORD, yet the skill metadata declares no required environment variables or credentials — a mismatch that needs explanation.
!
Instruction Scope
The SKILL.md and scripts instruct the agent/user to scan both workspace and built-in skill dirs (including a brew Cellar path). They also recommend an --encrypt-found path that will call a local notion-secrets.js to push encrypted blobs to Notion, and they suggest adding a cron job that schedules periodic scans and writes the report path into agent memory. These behaviors go beyond simple read-only scanning: they involve uploading findings (even if encrypted) to a cloud service and scheduling autonomous runs that can persist report locations in memory. The instructions do not clearly restrict use to only user-controlled repos and explicitly warn against using encrypt on third-party skills — but that warning is a manual step and easy to miss.
Install Mechanism
There is no install spec (instruction-only + bundled scripts), which keeps install risk low. However the scripts assume presence of system tools (grep, bash, mktemp), node and npm (they call node and npm audit), and brew is referenced in SKILL.md; none of these binaries or platform assumptions are declared in metadata. That's a minor coherence gap to surface to users.
!
Credentials
The code and docs reference NOTION_MASTER_PASSWORD and expect a local helper (~/.openclaw/scripts/notion-secrets.js) and a Notion integration token; yet the skill metadata lists no required env vars or credentials. Uploading found secrets to Notion (even encrypted) and requiring a master password are sensitive operations and should be explicitly declared. The number and sensitivity of these implicit secrets (Notion API token + master password) are disproportionate relative to a simple scanner unless the user explicitly opts into the Notion storage workflow.
Persistence & Privilege
The skill is not force-enabled (always: false). It does, however, include instructions to schedule periodic scans via an openclaw cron add command and to save report paths into agent memory. Scheduling autonomous periodic scans and storing report locations increases the blast radius if misused, but these actions are optional and explicit in SKILL.md. Combine this with the Notion upload flow and undeclared env use for greater caution.
Scan Findings in Context
[DETECTOR_PATTERNS_EXEC_EVAL] expected: Scripts build regexes and grep for exec(), spawn(), eval(), child_process, and similar patterns in scanned skills — this is expected behavior for a security scanner.
[NOTION_MASTER_PASSWORD_REFERENCED] unexpected: NOTION_MASTER_PASSWORD is referenced in README, references/notion-encryption.md and full-scan.sh for the optional encryption-to-Notion flow, but the skill metadata does not declare any required env vars. The reference is reasonable for the feature, but the absence from requires.env is a coherence/visibility gap.
[EXTERNAL_STORAGE_NOTION_API_CALL] expected: The scripts call a local notion-secrets.js to 'put' encrypted blobs into Notion. This is a plausible feature (secure backup of discovered secrets) but it effectively uploads scan findings to a third-party cloud. The code warns about risks, yet automatic upload remains an available option and must be treated as potential data exfiltration vector if misused.
What to consider before installing
This skill appears to be a real scanner, but take care before running it on sensitive or third‑party code. Actions to take before using: - Inspect the scripts yourself (full-scan.sh, skill-scan.sh, quick-scan.sh) and confirm you understand what they will read and where they will write. - Do NOT use --encrypt-found on code you do not control. The feature uploads encrypted blobs to your Notion account (client-side encrypted), which still transmits ciphertext to a cloud service. - If you plan to use the Notion flow, verify the local notion-secrets.js tool is trusted and audited; store NOTION_MASTER_PASSWORD only in a secure place (and prefer interactive invocation rather than putting secrets into long-lived CI variables unless you accept the risk). - Be aware the scripts call npm audit and expect node/npm present; run them in an environment where those tools exist and where running npm audit (and potential network calls) is acceptable. - The SKILL.md suggests adding a cron job and storing report paths in agent memory — only enable that if you want periodic autonomous scans and you accept reports and their locations being recorded by the agent. If you are unsure, run scans in a disposable/isolated environment (or on a copy of the workspace) and avoid the encrypt-to-Notion and cron automation features until you’ve validated the tooling and secrets flow.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djwdss3n9a6yg699ndfkkk583mk1m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments