Skillv1.3.0

ClawScan security

Jentic WhatsApp QR · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 5:36 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement a legitimate WhatsApp-QR capture, but the runtime instructions read an internal OpenClaw config/token (not declared) and instruct use of it to post into Mattermost threads — an access mismatch that deserves caution.
Guidance: This skill’s core code to capture and convert a WhatsApp QR looks coherent and consistent with its description. The main concern is that the SKILL.md shows reading an internal OpenClaw config file (/root/.openclaw/openclaw.json) to pull a Mattermost bearer token (JENTIC_MM_SHIRKA_TOKEN) and using it to upload the PNG into a thread — but the skill metadata declares no required credentials or config paths. Before installing or running this skill: 1) Confirm you trust the skill author and the internal domain (mattermost.claw.jentic.ai). 2) Ask the author to declare any required config paths or environment variables (or change the workflow to require the user to supply a token explicitly) so you can review and grant only the needed permission. 3) If you do not want the skill to read agent config, run the script manually yourself (outside autonomous invocation) and deliver the PNG via your normal chat/file tools. 4) Inspect /root/.openclaw/openclaw.json on a test agent to see what token would be exposed and restrict access if necessary. 5) Prefer running the script interactively the first time to verify behavior rather than allowing autonomous runs. If the author clarifies and declares the token usage (or modifies the skill to avoid reading internal tokens), the incoherence would be resolved.

Review Dimensions

Purpose & Capability: concernThe scripts' behavior (running `openclaw channels login --channel whatsapp`, capturing terminal output, converting block-character QR to PNG) matches the stated purpose. However, the SKILL.md also shows reading /root/.openclaw/openclaw.json to extract JENTIC_MM_SHIRKA_TOKEN for Mattermost thread uploads. The skill metadata declares no required config paths or credentials, so the documented access to an agent config file is inconsistent and unexplained.
Instruction Scope: concernSKILL.md correctly instructs immediate execution of the capture script to avoid QR expiry. But it also includes an inline python command that reads the agent's OpenClaw config file to obtain a Mattermost token and curl commands that post files to https://mattermost.claw.jentic.ai. That requires reading sensitive agent-local state and calling an external API — behavior outside the minimal QR-capture scope and not declared in requirements. The README's admonition not to read files before starting is contradicted by the token-read step required for thread delivery.
Install Mechanism: okThis is an instruction-only skill with two small local Python scripts and no install spec. Nothing is downloaded from external URLs and no install actions are defined, which is the lower-risk model for skills.
Credentials: concernNo env vars or config paths are declared, yet the SKILL.md demonstrates reading /root/.openclaw/openclaw.json to extract JENTIC_MM_SHIRKA_TOKEN. Accessing an agent config file and bearer token is disproportionate unless the skill explicitly requires permission to use that token. The code itself does not exfiltrate data, but the instructions show how to reuse an internal token to post to a Mattermost API — this is sensitive and should be declared and authorized explicitly.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. The generate_qr.py forks a child to keep the login session alive for ~55s, which is expected behavior for this task.