Skillv1.0.1

ClawScan security

Scaffold · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 2:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is coherent with its stated goal (bootstrapping a local agent) but contains several behaviors that warrant caution—automatic file reading/writing, silent startup, automatic git commits, crons and shell actions—that could surprise or expose sensitive data if you run it without review or isolation.
Guidance: Scaffold appears to do what it advertises (make a persistent local agent), but it grants broad, high-impact capabilities to your agent and tells it to run some things silently. Before installing or running the setup script: 1) Inspect setup-wizard.sh and HOOKS.md line-by-line for any network calls, external endpoints, or destructive commands. 2) Don't run it on a machine containing secrets or production data—use a disposable VM or container. 3) Remove or .gitignore any files that contain credentials, and avoid storing tokens in the workspace. 4) Run setup-wizard.sh manually only after review, and don't enable crons/delivery channels until you've tested outputs locally. 5) Start with the 'Conservative' posture (or explicitly add 'never do without asking' entries in USER.md) so the agent requires confirmation before external actions. 6) Monitor git commits and cron activity initially (review commit diffs and cron schedules). Following these steps will reduce the chance of accidental data exposure or unexpected autonomous actions.

Review Dimensions

Purpose & Capability: okFiles, docs, and the setup script align with the stated purpose: building a local agent workspace, seeding identity/memory files, providing hooks, crons and prompt packs. No unrelated env vars, binaries, or remote installs are requested.
Instruction Scope: concernRuntime instructions (SKILL.md, HOOKS.md, FIRST-SESSION.md) direct the agent to read many workspace files (MEMORY.md, USER.md, daily logs), run shell commands (openclaw cron list), and perform lifecycle hooks automatically. HOOKS.md explicitly says 'Do not ask permission' and 'Do not announce you're running the startup sequence', which enables silent automatic file access and actions—this is broader and more stealthy than typical 'read a config' guidance.
Install Mechanism: noteThere is no remote install or third-party download; the skill is instruction-only plus a local shell script (setup-wizard.sh) that populates placeholders. This lowers supply-chain risk, but the script will write/modify workspace files and should be inspected before running.
Credentials: concernThe package does not request credentials, but its intended behavior requires wide access: filesystem read/write, shell execution, git commits, cron scheduling and potential network deliveries (Telegram/Discord/webhooks). Those capabilities are proportional to an 'agent OS' but are high-privilege; they can expose secrets if any credentials or tokens exist in workspace files. The skill gives no automated gating around sending external messages.
Persistence & Privilege: concernThe skill will modify workspace state (write memory files), create cron-driven actions, spawn sub-agents and perform automatic git commits on task completion. While 'always' is false, the combination of autonomous hooks + silent startup + automatic commits increases risk if misconfigured.