Skillv1.0.0

ClawScan security

Clawdocs Improved · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 22, 2026, 8:46 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely coherent with being an offline documentation helper, but a prompt‑injection pattern was detected in the runtime instructions and the skill includes network-fetching scripts and a recommended curl|bash installer — review before trusting or executing anything.
Guidance: What to check before you install or run this skill: - Review the bundled shell scripts (./scripts/*.sh) yourself. They fetch docs from https://docs.openclaw.ai and write cached files under ~/.openclaw/cache/clawddocs; ensure you are comfortable with those network calls and local writes. - Do NOT run the recommended curl -fsSL https://openclaw.ai/install.sh | bash command without inspecting that script first — that pattern can install arbitrary code. - The SKILL.md and reference files include many example placeholders like ${OPENAI_API_KEY} and ${OPENCLAW_GATEWAY_TOKEN}. The skill does not declare it requires secrets, but be explicit: do not let the skill (or the agent using it) read environment variables or secret files unless you explicitly permit it. - The pre-scan detected a 'system-prompt-override' pattern. That can be a false positive for documentation content, but it can also indicate phrasing intended to influence the agent runtime. If you plan to allow the agent to invoke the skill autonomously, restrict its capability to run shell commands or access secrets until you've validated behavior in a sandbox. - If you only want read-only help, use the skill as a human-in-the-loop tool: run scripts yourself in a controlled shell and paste snippets into the agent, rather than allowing the agent to run them autonomously. If you want higher confidence about safety, provide the full omitted scripts/content (the scan noted some files were truncated) and test the scripts in an isolated environment (container or VM) to observe their network calls and filesystem changes.
Findings: [system-prompt-override] unexpected: A prompt‑injection signature was detected in SKILL.md. The visible SKILL.md primarily contains doc navigation and instructions to use local references and the bundled scripts, but this pre-scan flag suggests the skill text may include phrasing that could try to modify agent system behavior. Treat this as a potentially risky pattern and review the skill text and how the agent runtime enforces system prompts before enabling.

Review Dimensions

Purpose & Capability: okName/description match the provided files: the SKILL.md plus the references/* and snippets/* files together implement a documentation/config reference skill. The included scripts (search, fetch, sitemap, cache, track-changes) are proportionate to a docs/search helper.
Instruction Scope: noteSKILL.md explicitly instructs the agent/user to read local reference files and snippets and to run bundled scripts (./scripts/*.sh) to search/fetch docs and build indexes. It also tells users to check /tmp/openclaw/openclaw.log for reload errors and to cross-reference an external 'Context7 /openclaw/openclaw' source — these are within scope for a docs skill but do cause the agent to interact with local files and to perform network fetches. The SKILL.md also recommends running an external installer via curl -fsSL https://openclaw.ai/install.sh | bash in the 'install/deploy' advice — that is a high‑risk operation if executed without review. Overall the instructions are coherent but grant the agent discretion to fetch remote content and read/write under the user's home directory; exercise caution.
Install Mechanism: okThere is no install spec (instruction-only), which is low risk. The shipped shell scripts use curl to fetch docs from docs.openclaw.ai and write caches to ${HOME}/.openclaw/cache/clawddocs. Those network calls and filesystem writes are expected for this functionality; no obscure download URLs or archive extraction were found in the provided files.
Credentials: noteThe skill does not declare required env vars or credentials (none required), which aligns with being a documentation helper. However, the reference documents include many example config fragments containing placeholders like ${OPENAI_API_KEY}, ${OPENCLAW_GATEWAY_TOKEN}, etc. Those are examples in docs (expected), but they could confuse an agent or user into thinking secrets are needed or should be read — the SKILL.md itself does not request them. Confirm the agent will not attempt to read environment variables or secret files unless the user explicitly asks it to.
Persistence & Privilege: okalways:false and no install spec — the skill does not request persistent global inclusion or elevated platform privileges. Its scripts write under the user's home (~/.openclaw/cache/clawddocs) which is reasonable for caching; the skill does not attempt to alter other skills or system-wide configuration in the files reviewed.