Skillv2.0.4

ClawScan security

JEP Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 25, 2026, 1:50 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, hooks, and manifest are consistent with a local 'guard' that intercepts OpenClaw skill executions, requires explicit consent to enable interception, and writes local audit data — nothing obvious is disproportionate to that stated purpose, but some daemon/server code was truncated so full remote/IO behavior couldn't be verified.
Guidance: What to consider before installing: - The package appears to be exactly what it says: a local security/audit daemon that intercepts OpenClaw skill actions and writes audit logs to ~/.jep-guard. Its hooks use a local IPC socket and do not auto-start the daemon — you must start the daemon explicitly. - Review and verify the remaining daemon code (server/router/audit/registry files that were omitted/truncated in the bundle). Those files are responsible for the server-side behavior (network endpoints, any outbound calls, permissions) and are the highest-value review items for security. - Before enabling Full Protection (mode 'full' / manual init): - Inspect daemon/server.js (and router/audit/registry implementations) for any code that performs outbound network calls, binds non-local sockets, or performs privilege escalation. - Check file permissions for ~/.jep-guard (guard.key and audit files) to ensure keys and logs are readable only by the intended user (mode 600/700 used in scripts is appropriate). - When starting the daemon, confirm the IPC socket path ownership/permissions so an attacker cannot create or hijack the socket. Prefer running the daemon as a dedicated, non-root user. - If you want minimal risk initially: install in Passive mode (the installer defaults to it and the post-install script documents that) so you have SDK/logging without interception, and only enable Full mode after code review and manual testing in an isolated environment. - Because some files were truncated in the provided bundle, I recommend either inspecting the full source from the declared repository (https://github.com/hjs-foundation/jep-guard) or running the package in a sandbox/VM and monitoring network and filesystem activity before trusting it in production.

Review Dimensions

Purpose & Capability: okName/description, manifest capabilities (process control, file_write, local IPC), lifecycle hooks, and SDK/hooks implementation all align: the package builds a local daemon, listens on a local socket, intercepts preExec/postExec/preDelegate calls, and writes audit logs to ~/.jep-guard. Declared risk_level 'critical' is reasonable given it intercepts skill execution.
Instruction Scope: noteRuntime instructions and hooks confine themselves to OpenClaw hooks, local filesystem (~/.jep-guard), and a local IPC socket (os.tmpdir()/jep-guard.sock). Hooks do not run arbitrary shell commands and have fallbacks if the daemon/socket is absent. Note: the guardCall uses a local TCP/UNIX socket — if some other local process could bind/replace that socket, it could alter behavior; the code relies on local IPC trust and the config/consent files to enable full mode.
Install Mechanism: okThis is an instruction-only skill manifest with included source and Node.js lifecycle hooks; the post-install and pre-uninstall scripts use only pure Node.js libraries (fs, tar, net, tweetnacl) and explicitly promise no spawn/exec or auto-start. There are no remote downloads in the shown scripts; dependencies are standard npm packages. No URL shorteners or remote extract operations seen in provided files.
Credentials: okThe skill declares no required environment secrets and lists only a few optional env flags (JEP_PASSIVE, JEP_LITE, CI, JEP_PURGE) used for installation modes. It writes keys and audit logs to a local config directory and documents that explicit consent is required to change OpenClaw runtime settings. Requested capabilities (local IPC, file write, process interception) match the stated purpose.
Persistence & Privilege: noteThe skill does not set always:true and requires manual daemon start (post-install explicitly disables auto-start). The manifest and installer declare that enabling full protection modifies OpenClaw runtime settings only with explicit consent. This is a privileged capability (intercepting skill executions), but the package documents and implements explicit consent and local manual start — review of the daemon code (truncated here) is still recommended before enabling full mode.