Skillv1.0.35

ClawScan security

Signalgrid Push · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 6:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, required environment variables, and runtime instructions align with its stated purpose of sending push notifications via Signalgrid and request only the credentials needed for that task.
Guidance: This skill appears coherent and only needs your Signalgrid client key and channel. Before installing: (1) Treat SIGNALGRID_CLIENT_KEY as a secret—store it in your environment/config and don't paste it on the command line. The bundled script logs raw process arguments (DEBUG lines), so avoid passing any secret values as CLI args. (2) Set your OpenClaw tool profile to 'full' only if you trust network-capable skills, since that enables outgoing requests. (3) Confirm you trust the Signalgrid service (https://web.signalgrid.co) before providing credentials. If you want extra caution, consider reviewing or removing the debug console.log statements in signalgrid-push.js after installation.

Purpose & Capability: okName/description, required binaries (node), environment variables (SIGNALGRID_CLIENT_KEY, SIGNALGRID_CHANNEL), and the bundled script all align with sending push notifications to api.signalgrid.co. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: okSKILL.md instructs running the included Node script with title/body/type/critical options and to set the two Signalgrid env vars. The script only reads process.argv and the two declared env vars and posts to api.signalgrid.co. It does not read other files, system configs, or send data to unexpected endpoints. Note: the script prints debug logs (including raw process.argv and parsed args) which could expose any sensitive values passed on the command line.
Install Mechanism: okNo install spec is provided (instruction-only install), and the package includes a small Node script. Nothing is downloaded or extracted from external URLs during install, so there is low install-time risk.
Credentials: okThe skill requires only SIGNALGRID_CLIENT_KEY and SIGNALGRID_CHANNEL which are directly needed to authenticate and route notifications. The declared primary credential is the client key; no unrelated secrets are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; autonomous invocation is allowed (platform default) but the skill does not request persistent system-wide changes or access to other skills' configs.