Skillv1.0.0

ClawScan security

openclaw-knowledge-coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 23, 2026, 12:22 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (local ingestion + exercise generation) but they reference external LLM API keys and runtime behaviors that are not declared in the metadata and could cause user data to be sent to third‑party providers unless the user explicitly configures otherwise.
Guidance: This skill appears to do what it says (ingest local files and generate practice items), but be aware of two main issues before installing/using it: 1) Secrets and external providers: The SKILL.md expects LLM API keys (e.g., OPENAI_API_KEY) even though the registry metadata lists none. Supplying those keys will permit the 'praxis' CLI to send your local document contents to external LLM providers. If your files contain sensitive data, consider: (a) using a local/self-hosted LLM provider, (b) redacting sensitive fields before ingesting, or (c) running the tooling in an isolated environment. 2) Vet the dependency: The skill recommends pip installing 'openpraxis' or cloning the GitHub repo. Review the PyPI package source or repository (and its installation scripts) before running pip install, or install into a sandbox/virtualenv. Look for any post-install hooks or network calls in that project. Other practical advice: - Don’t set long-lived credentials in global shell profiles; prefer ephemeral tokens or project-scoped env vars. - Test with non-sensitive sample files first to confirm where data is sent and what telemetry the CLI emits. - If you need stronger assurance, ask the maintainer for an explicit list of data flows (what is uploaded to providers, what is kept local) or run the 'praxis' CLI under network monitoring to confirm behavior. Confidence in this evaluation is medium; additional artifacts that would raise confidence either way are: explicit declared required env vars in the registry metadata, an included install spec, or the openpraxis package source to inspect for network/telemetry behavior.

Review Dimensions

Purpose & Capability: okThe name/description (local knowledge ingestion + practice generation) align with the SKILL.md: it uses the OpenPraxis 'praxis' CLI to import local files, chunk them, and generate exercises. There are no declared requirements that appear unrelated to this purpose.
Instruction Scope: concernThe runtime instructions tell the agent to ingest arbitrary local files (absolute paths) and to call the 'praxis' CLI which will in turn contact LLM providers for exercise generation. The SKILL.md also instructs using environment variables like OPENAI_API_KEY / ARK_API_KEY / MOONSHOT_API_KEY / DEEPSEEK_API_KEY, but the skill metadata declares no required env vars. The instructions therefore access and rely on secrets/configuration not declared in the registry metadata. Users should note that content from local files will likely be transmitted to external LLM services unless a local provider is used.
Install Mechanism: okThis is an instruction-only skill (no install spec, no code files). It recommends installing 'openpraxis' from PyPI or cloning the GitHub repo — standard, traceable sources. No downloads from obscure hosts or archive extraction are specified in the skill metadata itself. Users should still vet the PyPI package/repo before installation.
Credentials: concernAlthough the registry lists no required environment variables, the SKILL.md explicitly requires API keys (OPENAI_API_KEY and alternatives) for LLM provider configuration. This mismatch is a configuration and disclosure gap: the skill will need credentials to function as described, and those credentials enable uploading user data to third-party services. No unrelated or excessive credentials are requested, but the missing declaration is a concern.
Persistence & Privilege: okThe skill does not request 'always: true', does not include install-time persistence, and is instruction-only (no background services indicated). Autonomous invocation is allowed (platform default) but not exceptional here.