Skillv1.0.0

ClawScan security

Firm Spec Compliance Pack · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 10:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only compliance audit pack that is internally consistent with its stated purpose and requests no credentials or installs, but you should verify the required mcp-openclaw-extensions dependency and avoid pointing it at sensitive config files.
Guidance: This SKILL.md is instruction-only and aligns with an MCP compliance audit pack. Before installing: 1) Verify and obtain the mcp-openclaw-extensions >= 3.0.0 from a trusted source (the skill gives no homepage or installer). 2) Inspect the extension's code/packaging so you know what those openclaw_* audit commands do and whether they install additional software. 3) When running the audits, point config_path to non-sensitive test or exported copies of your config — don't use paths containing secrets or system-wide credentials. 4) Run the audits in an isolated environment (or with least privilege) until you confirm the extension and tools are trustworthy. If you want extra assurance, ask the extension author/source for provenance or source code before enabling the skill in production.

Purpose & Capability: okThe SKILL.md describes an MCP protocol compliance audit pack and declares a dependency on mcp-openclaw-extensions >= 3.0.0; the listed CLI-style tools and config_path usage are coherent with an auditing toolset.
Instruction Scope: noteInstructions are limited to running audit tools against a user-specified config_path and adding the skill to the agent config. This is appropriate for a compliance pack, but the runtime will read whatever file you point to — do not point it at system or secret-containing config files without review.
Install Mechanism: okNo install spec or code files are included (instruction-only), which reduces risk. However the declared dependency (mcp-openclaw-extensions >= 3.0.0) implies external tooling will be required; the skill provides no source or install instructions for that dependency, so verify where you obtain it.
Credentials: okThe skill requests no environment variables, credentials, or config paths itself. The only resource it references is a user-supplied config_path for audits, which is proportionate to its purpose. Be aware the required extension may itself request credentials or env vars.
Persistence & Privilege: okalways:false and default autonomous invocation are in place; the skill does not request elevated or persistent privileges or modify other skills. No indications it would persist beyond normal skill inclusion.