Skillv2.1.0

ClawScan security

Resy Hunter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 6:57 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (monitor reservations) but its runtime scripts access other OpenClaw config files for Telegram tokens and the declared environment variables are incomplete — which creates a risk of unexpected credential access.
Guidance: This skill appears to perform reservation monitoring as described, but it does a few things you should be aware of before installing or running it: (1) It caches Resy auth tokens and saves Playwright/OpenTable session state in your home directory (~/.openclaw/data/resy-hunter). That is expected for this use but means tokens and session cookies will be stored on disk. (2) notify.sh will attempt to find a Telegram bot token by reading multiple OpenClaw config files in your home directory; if a token exists there it will be used automatically — review notify.sh and consider setting TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID explicitly rather than leaving a token sitting in config files. (3) The package includes Playwright, which requires npm install and will download browser binaries; run this in an isolated environment (container/VM) if you want to limit side effects. (4) The manifest does not list all env vars the code can use (Telegram and possible OpenTable creds); only provide credentials that are necessary. Recommended steps before use: review notify.sh and remove or modify the config-file search if you don't want cross-config access; inspect and, if desired, relocate or encrypt cached token/session files; run Playwright scripts in a sandbox; and only provide RESY_* (and Telegram) credentials if you trust the skill source. If you can obtain the skill from a known source/repo or the author documents the config-file lookup behavior explicitly, that would increase confidence.

Review Dimensions

Purpose & Capability: noteName/description match the included scripts: Resy, OpenTable, and Tock checkers are present and use curl/Playwright as expected. Requiring RESY_API_KEY/RESY_EMAIL/RESY_PASSWORD for Resy is coherent. However the skill uses Playwright (heavy browser automation) and package.json includes playwright, which is more than a simple shell-monitor; that is explainable but worth noting. Also the SKILL.md and manifest do not declare environment variables referenced in the code (e.g., TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, OPENTABLE_*), creating a mismatch between stated requirements and actual code.
Instruction Scope: concernRuntime scripts do what the doc describes (search, check, monitor). However notify.sh explicitly searches the user's OpenClaw config files under $HOME/.openclaw and $HOME/.config/openclaw for a Telegram bot token (channels.telegram.botToken) and will use it if found — this reads potentially sensitive configuration belonging to the user's agent or other skills. Playwright scripts intercept network responses and persist session state (~/.openclaw/data/resy-hunter/.playwright-state and opentable-session.json), which is expected for browser automation but can capture session cookies or JSON payloads. The instructions/scripts also cache auth tokens and session files in the user's home directory.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is automatically downloaded by the skill. The repo includes package.json/package-lock with a Playwright dependency; running npm install will fetch Playwright and (typically) browser binaries. That is not executed automatically here but is required for the Playwright scripts to run — it introduces additional installation cost and local artifacts (browsers) if the user chooses to use the skill.
Credentials: concernDeclared required env vars are only the Resy credentials (RESY_API_KEY, RESY_EMAIL, RESY_PASSWORD). In practice, scripts also use or expect TELEGRAM_CHAT_ID and TELEGRAM_BOT_TOKEN (notify.sh) and references mention OPENTABLE_EMAIL/OPENTABLE_PASSWORD; none of these are declared in the manifest. notify.sh's fallback behavior of scanning multiple OpenClaw config files to discover a Telegram bot token is disproportionate to the nominal purpose (it reads other config files that may contain unrelated secrets).
Persistence & Privilege: concernThe skill writes persistent state under the user's home (~/.openclaw/data/resy-hunter and skill dir), caches Resy auth tokens, and saves Playwright/OpenTable session files. That is expected for a monitor. The concern is that notify.sh reads other OpenClaw config files to extract a bot token (cross-config access to other credentials), which is a privileged action beyond purely storing its own state. The skill does not set always:true.