Skillv1.0.0

ClawScan security

Openclaw Config Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches a configuration-management purpose, but there are several mismatches and automation behaviors (auto-routing, cron creation, undeclared credentials/required binaries) that don't add up and deserve manual review before installation.
Guidance: Things to check before installing or enabling this skill: 1) Source/trust: This skill is published with an unknown homepage/source. Only proceed if you trust the publisher or can audit the code. 2) Inspect router and recovery scripts: Review router.py (routing interceptor) and scripts/emergency_recovery.py to see exactly what commands they run, what checks they perform, and whether they can execute arbitrary shell commands or network calls. 3) Confirm declared requirements: Ask the maintainer to update registry metadata to list required binaries (python3, openclaw, ollama if used) and all environment variables the skill may read. Do not assume templates = declared requirements. 4) Review network behavior: Search the repository for outbound network calls, hard-coded endpoints, or POST/GET calls that could exfiltrate data (e.g., any use of requests, urllib, socket, or subprocess calls that curl/wget). Verify model provider baseUrls are expected and safe. 5) Test in isolated environment: Run the skill in a non-production sandbox or staging host first. Pay special attention when running 'recover', 'rollback', 'restart', or any 'setup' that adds cron tasks or router rules. 6) Check backup/restore behavior: Confirm where backups are stored (~/.openclaw) and retention policy. Ensure backups cannot be overwritten or sent externally without your consent. 7) Explicit opt-in for auto-routing & cron: If you do not want automatic command execution from user messages, do not enable the automatic routing/crons; require manual invocation only. Prefer disabling/inspecting router/routing_rules before enabling automatic interception. 8) If you lack ability to audit code: Consider rejecting or running with high isolation until an auditor verifies there is no secret exfiltration or surprising behavior. If you want, I can (a) scan the specific scripts you are most concerned about (router.py, emergency_recovery.py) for suspicious patterns, or (b) extract and summarize all subprocess/network calls in the code bundle to help focus review.

Review Dimensions

Purpose & Capability: noteThe name/description (config validation, repair, routing, emergency recovery) align with the included code (config_validator.py, agent_optimizer.py, emergency_recovery.py, cron_manager.py, model_router.py). However the SKILL metadata presented to the registry omits expected requirements: SKILL.md lists python3 as a required binary while registry metadata shows none; config templates and docs instruct users to set many provider/ channel API keys (DEEPSEEK_API_KEY, QWEN_API_KEY, FEISHU_APP_SECRET, WECOM_SECRET, etc.) that are not declared as required environment variables in the skill metadata — this mismatch is unexpected and should be clarified.
Instruction Scope: concernThe runtime instructions and routing docs show the skill will: intercept natural-language messages and auto-route them to run local commands (router rules / ROUTING_SETUP.md), execute scripts that modify ~/.openclaw/openclaw.json, perform atomic writes and backups, restart the Gateway, and run an 'emergency_recovery.py' (including rollback and restart). Auto-routing that translates user messages into commands which change system configuration is powerful and can result in commands running without explicit additional consent. You should review router.py and emergency_recovery.py to confirm what they execute and what checks/authorizations exist.
Install Mechanism: okThere is no external install spec (no downloads or installers) — code is packaged with the skill files. That reduces risk from arbitrary remote code fetch during installation. However these packaged scripts will execute on the host when invoked, so local effects still apply.
Credentials: concernThe registry metadata declares no required env vars or primary credential, but multiple config templates and README examples require many API keys and channel secrets (DEEPSEEK_API_KEY, QWEN_API_KEY, FEISHU_APP_SECRET, WECOM_SECRET, etc.). This is inconsistent: the skill may attempt to read or instruct storing those secrets even though they were not declared up-front. Also scripts reference external commands ('openclaw', 'ollama', etc.) that are not listed as required binaries in registry metadata. Ask the maintainer to declare all required binaries and environment variables clearly.
Persistence & Privilege: concernThe skill can add scheduled tasks via CronManager (it calls 'openclaw cron add' with job payloads) and contains logic to auto-restart the Gateway and create backups. While 'always' is false, the skill's recommended setup step will create persistent scheduled jobs and routing rules that cause automatic future execution. That persistence combined with powerful actions (config modification, restarts) increases blast radius and should be explicitly confirmed by the administrator before enabling.