Back to skill
Skillv3.0.0
ClawScan security
Crash Fixer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 25, 2026, 1:32 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions disagree about which AI service it uses and which secrets are required, and it sends sensitive crash data to an undeclared external API — proceed only after the author clarifies and fixes these inconsistencies.
- Guidance
- This skill has clear inconsistencies you should resolve before installing: - Ask the author to explain and fix the mismatch between SKILL.md and index.js: SKILL.md says MiniMax M2.5 is available and 'no extra API key needed', but the code calls https://api.minimax.chat with Authorization: Bearer ${ZAI_API_KEY} (an env var not documented). It also mentions 'Codex 5.3 High' in the docs but the code does not call OpenAI. - Treat this as a potential data-exfiltration risk: the code sends crash details (including user_id and device info) to an external endpoint (minimax.chat). Only proceed if you trust that endpoint and the associated API key usage is documented and intended. - Never supply your personal GH_TOKEN with broad scopes. If you test, create a limited-service token with only the repo scopes needed and prefer a test repo. - Request an updated SKILL.md that lists all environment variables used (including ZAI_API_KEY) and documents where crash data is sent. If the skill must call an external AI API, ask for justification why it cannot use the platform-provided model. - If you cannot get clear answers, run the skill in a sandboxed environment (dry-run) with minimal secrets and monitor network egress to confirm where data is sent before granting production credentials.
Review Dimensions
- Purpose & Capability
- concernThe declared purpose (fetch crashes, analyze, produce PRs) aligns with the requested GH_TOKEN, CRASH_REPORTER_API_KEY, CRASH_REPORTER_URL, and TARGET_REPO. However, the SKILL.md mentions using local/available MiniMax M2.5 and 'Codex 5.3 High', while the code calls an external minimax.chat API — a mismatch between description and actual implementation.
- Instruction Scope
- concernSKILL.md says no extra API key is needed and that MiniMax M2.5 is available in OpenClaw, but index.js posts crash payloads (including user_id and device/device_info) to https://api.minimax.chat and supplies an Authorization header from process.env.ZAI_API_KEY. The instructions do not disclose this external endpoint or the additional env var, meaning crash data will be transmitted outside the declared systems.
- Install Mechanism
- okNo install spec (instruction-only) and no downloads are present; risk from installation is low. There is a bundled index.js file so the runtime behavior must be inspected, but nothing writes arbitrary external install artifacts.
- Credentials
- concernDeclared env vars (GH_TOKEN, CRASH_REPORTER_API_KEY, CRASH_REPORTER_URL, TARGET_REPO) are reasonable for the described task. But the code also expects ZAI_API_KEY (used to call an external minimax.chat service) which is not declared in SKILL.md. SKILL.md also references 'Codex 5.3 High' (an OpenAI model) despite no OpenAI credential being requested. Undeclared credentials and model mismatches are a red flag.
- Persistence & Privilege
- okalways:false and the skill does not request persistent platform privileges. The skill will create branches/commits/PRs using the user's GH_TOKEN (expected for the task), so standard least-privilege guidance applies for that token.