Skillv1.1.2

ClawScan security

OpenClaw Memory Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 1:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (scanning the workspace for leaked secrets), but there are small inconsistencies between the documentation and the implementation that you should understand before installing.
Guidance: This skill appears to be a simple, local secrets scanner and does not exfiltrate data, but note the following before installing or running it: - The script only scans files under the workspace path you give it; it does NOT read agent memory stores or in-memory conversation logs even though the SKILL.md mentions 'memory logs'. If you need memory-store scanning, you'll need additional tooling or explicit instructions to the agent to access that store. - The scanner prints file paths and line numbers for matches (with values masked). Treat the output as sensitive: it reveals where a secret was found even if the secret value is partially redacted. - The regexes are intentionally broad (e.g., generic 32+/40+ char tokens) and can generate false positives. Review findings manually before revoking credentials. - Because the tool reads all text files recursively, run it in an environment where the agent is permitted to read the workspace (no unintended mounts). Consider running in a sandbox or with a copy of the workspace if you are concerned about accidental exposure of file metadata. If you want the skill to actually scan agent memory or a separate logs DB, ask the author to either: (1) document exactly which memory/log store it will access and request only the minimal API/credentials needed, or (2) include code that explicitly reads from that memory store (with clear, auditable behavior).

Review Dimensions

Purpose & Capability: okName/description match the code: a Python script walks the workspace and looks for API keys, JWTs, AWS keys, and other long secrets. The only runtime requirement declared (python3) is appropriate for the included script.
Instruction Scope: concernSKILL.md says the tool scans 'workspace and memory logs' and verifies a recurring audit schedule using cron.list(). The shipped script only walks filesystem files in the provided root directory (workspace) and does not access any agent memory store or memory-log APIs. If you expect it to scan in-memory conversation logs or a separate memory DB, this implementation does not do that. Also the SKILL.md instructs the agent to call cron.list() (an OpenClaw runtime action) which is outside the Python script — that split is fine but is a behavioural mismatch that should be documented clearly.
Install Mechanism: okInstruction-only with a small Python script; there is no installer, no external downloads, and no archives being extracted. This is low-risk from an install-mechanism perspective.
Credentials: okThe skill requests no credentials or environment variables and the script does not read or transmit env vars. There is no indication of unrelated credential access. The patterns the script searches for are broad (may produce false positives) but that is proportional to a secrets scanner.
Persistence & Privilege: okThe skill does not request permanent/always-included status and does not modify other skills or system configuration. It only runs when invoked.