Skillv1.0.0

ClawScan security

Tokenguard Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 10:38 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description and runtime instructions claim it will scan OpenClaw session logs and install a CLI, but the package manifest is inconsistent (declares an executable and system install steps that are not present) and it does not declare or justify access to logs/configs it needs — this mismatch is suspicious and needs clarification before installing.
Guidance: Do not install or run this skill yet. Key issues to resolve with the publisher: (1) Provide the actual tokenguard-analyze executable/script and full source so you can review it; (2) Explain exactly which OpenClaw log files/paths it reads and why no config paths were declared; (3) Justify the additional required binary 'bc' listed in clawhub.yaml and reconcile bins across files; (4) Remove or explain the proposed symlink to /usr/local/bin (system-level install) or provide an alternative installation method and an integrity-checked release (e.g., GitHub release). If you must test, run in a restricted sandbox or VM, and inspect the tokenguard-analyze script contents before granting filesystem write or log read permissions. Be especially cautious because session logs can contain API keys and sensitive data — ensure the tool will not send logs to external endpoints without explicit, auditable consent.

Review Dimensions

Purpose & Capability: concernThe stated purpose is to analyze OpenClaw session logs. That legitimately requires a binary/script to parse logs and read log files. However the published package does not include the claimed executable (tokenguard-analyze is referenced in README, package.json, and clawhub.yaml but is not present in the file list). clawhub.yaml also adds 'bc' to required bins while SKILL.md and registry metadata list only bash and jq. These inconsistencies indicate the manifest and files do not align with the described capability.
Instruction Scope: concernSKILL.md repeatedly says the tool 'requires access to OpenClaw session logs' and instructs running tokenguard-analyze to scan logs, but the SKILL.md does not declare where logs live, which config paths to read, or how to authenticate to them. The skill does not declare any required config paths or environment variables even though analyzing session logs often requires filesystem or storage access (and logs can contain sensitive tokens). The instructions therefore ask for sensitive data access without describing or declaring it.
Install Mechanism: concernRegistry summary indicated 'No install spec', but clawhub.yaml contains an install step that would symlink tokenguard-analyze to /usr/local/bin (a system path). That operation is potentially privileged and the executable referenced is missing. package.json also lists a bin and preferGlobal: true, implying a global install. The presence of an install directive that writes into /usr/local/bin combined with missing executable is an incoherence and a security risk if the real install were provided without review.
Credentials: noteThe skill declares no required environment variables or config paths, yet its function explicitly needs access to session logs. This omission is disproportionate: either the skill should declare specific log paths/credentials, or it cannot perform its stated function. There are no explicit credentials requested, which reduces some risk, but log access may implicitly expose API keys and other secrets if not scoped and documented.
Persistence & Privilege: notealways:false and user-invocable:true (normal). However the packaged metadata implies creating a symlink into /usr/local/bin and global installation preference — that would give persistent system-level presence and requires elevated file-system write access. Because the file that would be installed is missing, this is currently an unresolved inconsistency rather than a confirmed privilege escalation, but it should be treated cautiously.