Skillv1.0.0

ClawScan security

Tsz · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 5:22 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package claims to be a ClawdHub CLI helper but contains a different large Python project (FreeRide) that reads/writes ~/.openclaw, requires an OpenRouter API key, and performs network calls — the pieces don't line up and need clarification before installing.
Guidance: Do not install this skill yet. The published metadata and SKILL.md advertise the ClawdHub CLI (npm 'clawdhub'), but the package contains an unrelated Python project (FreeRide) that will read and modify ~/.openclaw/openclaw.json, store state under your home directory, and require an OpenRouter API key. Before proceeding, ask the publisher to explain: (1) why FreeRide files are bundled with a ClawdHub skill, (2) which files are actually installed/run when you 'npm i -g clawdhub', and (3) provide the source for the npm package and the exact install/run flow. If you must test, do so in an isolated environment (VM/container) and inspect activator/extract shell scripts, the watcher/daemon code, and any network endpoints (openrouter.ai). Verify the npm package on the official registry and prefer packages with a clear single-purpose source repo. If you want only the ClawdHub CLI, fetch and review the official 'clawdhub' npm package directly rather than installing this mixed bundle.

Review Dimensions

Purpose & Capability: concernRegistry/SKILL.md describe a ClawdHub CLI (npm package 'clawdhub') and list only the 'clawdhub' binary, but the bundle includes a full Python project (FreeRide) with main.py, watcher.py, many assets, and skill.json for a 'freeride' skill. The declared install (npm clawdhub) does not explain the large Python codebase, duplicated files, or multiple _meta.json entries with different slugs. This is incoherent: either unrelated code was bundled, or the metadata is incorrect.
Instruction Scope: concernThe SKILL.md provided is just usage for the ClawdHub CLI (no file reads). However, included runtime code (main.py, watcher.py) explicitly reads/writes the user's OpenClaw config at ~/.openclaw/openclaw.json, reads OPENROUTER_API_KEY (env or config), writes cache/state files under ~/.openclaw, and makes network calls to openrouter.ai. Those behaviors are outside what the ClawdHub CLI usage would suggest and are not described in the SKILL.md visible to the agent.
Install Mechanism: noteThe declared install is an npm package 'clawdhub' which is a reasonable, traceable mechanism. However, the package contents include Python scripts and shell scripts (activator.sh, extract-skill.sh) and many duplicated files; it's unclear how/if those Python files are installed or executed by the npm package. The presence of shell extractor/activator scripts increases risk because they can run arbitrary commands or install additional components.
Credentials: concernThe registry metadata lists no required env vars, yet the included project (skill.json and code) requires OPENROUTER_API_KEY and will look in env or ~/.openclaw/openclaw.json for credentials. The bundle will access and modify user config files under ~/.openclaw, meaning it needs credential/config access that is not declared in the top-level requirements — a mismatch and a potential privacy/security concern.
Persistence & Privilege: concernThe Python code writes persistent state and config under the user's home (~/.openclaw/.freeride-cache.json, .freeride-watcher-state.json, and modifies openclaw.json). It also includes a watcher/daemon mode that can run continuously. While 'always' is false, the ability to persistently modify OpenClaw configuration and run a background watcher is significant and not represented by the ClawdHub-only description.