Skillv1.0.0

ClawScan security

Group Activation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 3:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (temporarily joining/leaving group chats) is plausible, but the runtime instructions require editing the agent's global config file and scheduling jobs without declaring those config paths or permissions — an incoherence that warrants caution.
Guidance: This skill asks the agent to edit openclaw.json (a global gateway config) and to create one-shot cron jobs, but the skill metadata doesn't declare any config paths, required binaries, or permissions. Before installing: (1) ask the author to explicitly declare required config paths and scheduling mechanism (e.g., an API vs. direct file edits), (2) prefer an implementation that uses a gateway control API rather than raw file edits, (3) ensure the agent runs with least privilege (deny write access to openclaw.json unless strictly necessary), (4) require audit/logging for any config changes and scheduled tasks, and (5) test in a staging environment first. Because the package is instruction-only and the scanner had no files to check, perform manual review or request more detail from the publisher before granting the agent permission to modify system configuration or create scheduled jobs.

Review Dimensions

Purpose & Capability: noteName and description match the runtime behavior: the skill is meant to open and close an agent's participation window in group chats. However, the procedure requires writing to a global gateway config (openclaw.json) and manipulating per-channel group entries; those capabilities are more privileged than the skill metadata declares (no required config paths or permissions).
Instruction Scope: concernSKILL.md explicitly instructs the agent to patch channels.<platform>.groups.<group_id>.requireMention in openclaw.json, create one-shot cron jobs, cancel them, and possibly remove group entries. Those steps modify system-wide configuration and scheduling, which go beyond simple message handling and are not scoped or constrained in the instructions (no safeguards, no explicit API usage, no limits on which files/entries may be changed).
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. The static scanner had no files to analyze.
Credentials: concernThe skill declares no required env vars or config paths, yet asks to read inbound metadata and to modify openclaw.json and create cron/at jobs. Granting the ability to edit openclaw.json and schedule jobs is a high-privilege action not justified by the declared requirements; those accesses should be explicitly declared and limited.
Persistence & Privilege: concernAlthough always:false and autonomous invocation are normal, the skill's behavior requires changing a global gateway configuration (hot-reloaded) and creating scheduled jobs. This effectively gives the skill capability to change agent-wide access controls and persist state across restarts — a meaningful privilege that isn't surfaced in the metadata.