Skillv1.0.0

ClawScan security

Schema Validator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to be a local JSON validation CLI (no network or secrets) but the description/README claim CSV and Excel support and broader 'data quality' features that the included code does not implement — a misleading mismatch worth caution.
Guidance: This package appears to be a local Node.js JSON validator and does not contact external servers or request credentials — low direct security risk. However: 1) The description and SKILL.md claim CSV/Excel support and broader 'data quality' features that the included code does not implement; treat that as a mismatch or possible mislabeling. 2) The code will read any file path you pass to it, so do not run it on sensitive files unless you trust the source. 3) There's no install script, but the code requires Node to run; test it locally with non-sensitive sample JSON first. 4) Source/owner and homepage are unknown; if you need guarantees about maintenance or provenance, request a reputable source or a link to a repository before installing. If you want true CSV/Excel validation, ask the author for proof (parser code or dependencies) or use a known library that explicitly supports those formats.

Review Dimensions

Purpose & Capability: concernThe skill's name/description advertise JSON, CSV, and Excel validation and 'data quality' checks. The provided code (data_validator.js) implements a Node.js JSON validation engine and CLI that reads JSON files or JSON strings; it does not parse CSV or Excel formats and has no CSV/Excel dependencies. This is an inconsistency between claimed purpose and actual capability. Source is unknown and there is no homepage or provenance metadata.
Instruction Scope: noteSKILL.md and the CLI are scoped to validating data and inferring schemas, which matches the code for JSON. Instructions are fairly minimal/vague ('Install the skill', 'Run with OpenClaw') and do not direct reading of unrelated system files or env vars. However the README suggests broader file-type support (CSV/Excel) that the instructions/code do not implement.
Install Mechanism: okNo install spec; this is instruction-only plus a single JS file. Nothing in the package downloads external artifacts or writes additional files during install. Risk from install mechanism is low.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. The code accesses the filesystem only for files the user supplies (fs.readFileSync) — appropriate for a file-based validator.
Persistence & Privilege: okalways is false and there is no code that modifies agent configuration, other skills, or system-wide settings. The skill does not persist credentials or request elevated privileges.