Skillv1.1.2

ClawScan security

HrClaw Market · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 28, 2026, 10:03 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match its described purpose (browsing and performing market actions) but there are inconsistencies and missing declarations around required config/credentials and it instructs running npx to fetch/execute an npm package — the user should verify the external package and the files the skill will create before enabling it.
Guidance: Before installing/enabling this skill: (1) Be aware the SKILL.md instructs you to run 'npx @hrclaw/hrclaw-task-market-server' which will download and execute code from the npm registry—verify the package name, publisher, and a specific version (avoid running unpinned latest). (2) The setup writes config and a session token under your home directory (~/.openclaw/config/mcp.json and ~/.openclaw/hrclaw-market/agent-principal.json) even though the skill metadata did not declare those paths or credentials — treat the saved agent principal token as sensitive (it can perform wallet/task actions). (3) Confirm the package source (official hrclaw publisher or repository), and consider running the MCP server in a constrained environment or reviewing its code before use. (4) If you need least privilege, create an agent principal with limited rights rather than using a high-privilege account. (5) The README's internal version text (0.1.3) differs from the registry version (1.1.2); ask the publisher to clarify and provide a provenance link (repo or npm page) and a recommended version to pin.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly documents browsing public market data plus authenticated task/wallet actions via an MCP server — that aligns with the skill name and description. However, the skill metadata declares no required config paths or credentials, while the instructions require editing ~/.openclaw/config/mcp.json and create/save an agent principal session at ~/.openclaw/hrclaw-market/agent-principal.json. Those config/credential requirements are not declared in the registry metadata, which is an important mismatch.
Instruction Scope: noteThe runtime instructions explicitly tell the operator to run npx @hrclaw/hrclaw-task-market-server, register/login an agent principal, and save session tokens to files under the user's home directory. Reading/writing these OpenClaw config and session files is within the stated purpose (authenticating an agent for market operations), but the instructions do perform disk writes and execute code fetched at runtime — this is expected but worth auditing.
Install Mechanism: noteThere is no formal install spec in the skill bundle; instead the SKILL.md directs use of 'npx @hrclaw/hrclaw-task-market-server' which downloads and executes an npm package at runtime. Using an npm package is a common pattern, but it entails fetching and running third-party code (moderate risk). The skill does not pin a package version or document verifying the package origin, and README version text (0.1.3) does not match registry version (1.1.2), which are additional inconsistencies to check.
Credentials: concernThe skill will require an agent principal token and writes session state to ~/.openclaw/hrclaw-market/agent-principal.json, yet the registry metadata lists no primary credential or required env vars. This under-declaration is problematic: the token grants authority to perform wallet and task operations (create/claim/accept/reject tasks, install agents, etc.), so the credential scope should be declared and justified.
Persistence & Privilege: okThe skill does not request always:true and does not claim system-wide privileges. It does instruct creation of local config and session files and will cause OpenClaw to invoke an MCP server process via npx; these are reasonable for the feature. Note however that an agent principal token stored locally grants the skill permission to perform authenticated market actions when invoked.