Skillv1.0.0

ClawScan security

Mission Control Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 12:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match its stated goal (building a Next.js dashboard), but it makes claims about integrating with OpenClaw memories and GitHub trends without explaining how credentials or API access are obtained — an omission that is inconsistent and worth caution.
Guidance: This skill is an instruction document for creating a local Next.js dashboard and appears technically coherent for that core purpose. However: (1) The guide claims to surface OpenClaw memories and GitHub trends but doesn't show how to connect to those services or what credentials are needed — ask the author or inspect any implementation before providing API keys or connecting live data. (2) The example uses local JSON files for storage; be careful storing sensitive data (memories, tokens) in plain files and consider access controls/encryption. (3) Because the skill is instruction-only, there is no registry-installed code, but if you follow the guide and paste/run code from unknown sources, review it for network calls or secrets exfiltration. If you plan to use this with real OpenClaw memories or GitHub accounts, require explicit documentation of required env vars, endpoints, and authentication flows before giving it access to credentials.

Review Dimensions

Purpose & Capability: noteThe name/description (personal dashboard for OpenClaw) aligns with the provided Next.js project scaffolding and file-based task storage. However, the skill repeatedly mentions integrating with an OpenClaw memory store and GitHub trends but declares no environment variables or configuration for connecting to those services. That gap is an inconsistency: accessing OpenClaw memories or GitHub data normally requires endpoints/credentials which are not specified.
Instruction Scope: noteThe SKILL.md is an instruction-only guide to create a local Next.js app that reads/writes JSON files under the project (src/data). File I/O is scoped to the project directory (process.cwd()), which is expected for a local dashboard. The instructions are incomplete about how to access external data sources (OpenClaw memory, GitHub trends) and leave implementation details open-ended, which grants broad discretion to whoever implements the integrations.
Install Mechanism: okThere is no install spec and no code files executed by the platform; the skill is instruction-only and relies on standard tooling (npx, npm). This is the lowest-risk install posture from the registry perspective.
Credentials: noteNo environment variables or credentials are required according to the metadata. That is plausible for a purely local, file-based dashboard, but inconsistent with advertised integrations: connecting to an OpenClaw instance or the GitHub API typically requires endpoints and credentials. The absence of declared env vars is therefore an omission and should be clarified before trusting any code that connects to external services.
Persistence & Privilege: okThe skill does not request permanent presence (always: false), does not modify other skills or system-wide settings, and has no install hooks. It will not persist or escalate privileges via the registry metadata.