Skillv1.0.0

ClawScan security

Config Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and runtime instructions broadly match a config-monitor role, but the SKILL.md assumes local OpenClaw CLI tools and shell scripts (and performs destructive actions) while the metadata declares no binaries, no files, and provides no install — this mismatch and the destructive guidance warrant caution.
Guidance: This skill's purpose aligns with its instructions, but it assumes local OpenClaw tools and scripts that are not provided or declared. Before installing or enabling it: 1) Verify you have the 'openclaw' CLI and the scripts referenced (~/.openclaw/workspace/scripts/*.sh). Inspect the actual script files (config-monitor.sh, config-change-logger.sh) before running them — the SKILL.md does not include them. 2) Do not run destructive commands (xargs rm, rollback) until you have verified backups and tested in a safe environment. 3) Confirm the log and backup paths referenced are correct for your installation (there are some inconsistent path examples in the doc). 4) Be cautious enabling autonomous invocation — consider invoking the skill manually first so it cannot automatically run rollback or deletion commands. 5) Ask the maintainer for a clear dependency list, the missing scripts, and assurances about what the rollback/delete commands do. If you cannot inspect the referenced scripts, treat this skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe name and description claim OpenClaw configuration monitoring and the instructions show exactly that. However the SKILL.md implicitly requires an 'openclaw' CLI and several local scripts (e.g., ~/.openclaw/workspace/scripts/config-monitor.sh, config-change-logger.sh) and specific log/backups paths. The registry metadata declares no required binaries, no install, and provides no code — those dependencies are missing from the metadata and not provided by the package.
Instruction Scope: noteInstructions are focused on monitoring/reporting and operate on OpenClaw-specific paths (~/.openclaw, /tmp/openclaw, workspace logs) which is consistent with the stated purpose. They also include destructive operations (rm old backups via xargs, rollbacks) and commands that read local logs (tail, grep). The instructions assume the presence and behavior of scripts that are not included; an agent following them could read or delete files under the user's home if those commands are run.
Install Mechanism: okThis is an instruction-only skill with no install spec and no shipped code. That minimizes the risk of arbitrary remote install, but it increases reliance on pre-existing local tools and scripts that the package doesn't supply.
Credentials: noteNo environment variables or credentials are requested (good). However the runtime steps access local configuration, logs, backup files, and invoke an 'openclaw' CLI — these filesystem and CLI accesses are appropriate for a monitoring skill but were not declared in metadata. No explicit credential exfiltration is requested, but file read/write and deletion are part of the instructions.
Persistence & Privilege: notealways:false (normal). The skill allows autonomous invocation (platform default). Combined with destructive commands (rollback, rm old backups, restart gateway), autonomous runs could cause real changes if executed without review. This is a cautionary combination but not itself a proof of malice.