Skillv1.0.3

ClawScan security

Truclaw Biometric · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 8:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (biometric confirmation for dangerous actions) is generally coherent, but it relies on third-party infrastructure (an author-hosted relay), an npm install step, and privileged interception that together raise trust and installation-supply-chain concerns you should understand before installing.
Guidance: This skill's design is coherent for a biometric guardrail, but it requires installing third-party code (npm/git) and relies on an author-hosted relay that handles push delivery and short-lived JWTs. Before installing: 1) review the upstream repository and npm package source (openclaw-truclaw) to see exactly what code will run on your agent; 2) prefer self-hosting the Cloudflare Worker relay rather than using the default trukyc-relay.trusources.workers.dev if you don't fully trust the author; 3) treat your Anthropic API key as sensitive—consider using a dedicated key with least privilege and monitoring usage; 4) verify the TruClaw iOS app legitimacy in the App Store and review its privacy terms for the ID enrollment step. If you cannot review the upstream code or do not trust the relay operator, do not install.

Review Dimensions

Purpose & Capability: okThe name/description (biometric guardrail) align with the declared requirements: an Anthropic API key for danger classification and a relay URL for push/JWT exchange. Requiring those env vars is reasonable for the stated design.
Instruction Scope: noteSKILL.md stays mostly inside the stated scope (intercept tool calls, call Anthropic for classification, relay to deliver push and temporary JWT). However it instructs the user to enroll with ID scanning (on-device enrollment) and to run npm install/build steps from the repo — installing and running code on the host. The doc also depends on trusting that the relay ‘never sees biometric data’ (a claim you cannot verify from the skill bundle alone).
Install Mechanism: concernInstall is via npm (package name openclaw-truclaw) and SKILL.md also shows git clone + npm install/build. The skill bundle itself contains no code files; installing the npm package or building the cloned repo will pull and execute third-party code not included in the bundle. This is moderate supply-chain risk and worth reviewing the upstream package/source before running.
Credentials: noteOnly two env vars are requested (ANTHROPIC_API_KEY_TRUKYC and TRUKYC_RELAY_URL), which are consistent with the described architecture. The Anthropic key is sensitive (gives API access) and TRUKYC_RELAY_URL points by default to an author-controlled Cloudflare Worker—using the shared relay requires trusting the relay operator with push/session handling. Self-hosting the relay is supported and recommended if you don't trust the author-hosted endpoint.
Persistence & Privilege: noteThe plugin is described as running in a privileged before_tool_call hook so it can intercept and block dangerous tool calls; this capability is necessary for the feature but is powerful. always is false (good). Autonomous invocation is allowed by default; combined with networked relay and code installed from npm, this increases the effective blast radius if the code or relay are malicious.