Skillv2.5.10

ClawScan security

Gstack OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 11:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely a documentation-only collection of prompt-driven roles (consistent with its description), but there are small inconsistencies (leftover install.sh references and many example network calls) that do not match the 'no-execution / no-network' safety claim and warrant additional checks before installing.
Guidance: This package is mostly documentation and prompt templates and appears coherent with its stated purpose — but check a few things before installing: - Verify there is indeed no install.sh or other executable file in the distributed package (the docs contain mixed references to './install.sh' even though the changelog says it was removed). - Understand that many examples show network calls and test scripts (curl, fetch, Playwright). The skill itself doesn't require credentials, but if you grant OpenClaw tools permission to access files, browsers, or external APIs, the agent could perform those actions. Only grant such permissions after you review and are comfortable with the resulting behaviour. - If you plan to use sub-skills that interact with external services (WebPageTest, PageSpeed Insights, CI/CD), provide API keys only to the specific official skill that needs them — this gstack package should not demand secrets itself. - If you want maximum safety, install via the platform's verified 'clawhub install' path and avoid running any manual install scripts suggested in docs until you confirm they exist and are benign. Overall: coherent but inconsistent documentation signals (leftover install.sh references and illustrative network/code examples). If you need higher assurance, ask the publisher to confirm the removed-install.sh state and to remove any leftover install instructions that reference removed files.

Review Dimensions

Purpose & Capability: okName/description and the provided SKILL.md files consistently describe a prompt-driven, role-based engineering assistant. The files are instruction-only (no code files or install spec) and the requested capabilities (design, review, benchmark, canary, etc.) are coherent with the provided content and examples.
Instruction Scope: concernThe top-level SKILL.md explicitly asserts 'documentation-only' and 'no network / no file I/O' except via standard OpenClaw tools. However, multiple sub-skill docs include concrete code examples that call network endpoints (curl to webpagetest, fetch('/analytics'), Playwright scripts that open URLs) and the top SKILL.md (and README) contain manual install instructions that reference an './install.sh' command. The repository manifest shows no install script present, and SECURITY.md/README state install.sh was removed — the presence of references to it in some docs is an inconsistency. While these examples appear to be illustrative (not runtime instructions that will be executed by the skill itself), the agent instructions allow use of OpenClaw tools (which may perform network or filesystem actions if the user grants them). This grants the agent some discretionary scope depending on runtime tool permissions.
Install Mechanism: noteThere is no install spec and no executable code in the package (instruction-only), which is the lowest-risk install model. That said, docs show two installation patterns: 'clawhub install openclaw/gstack' (recommended) and a manual 'git clone && ./install.sh' flow — although the package claims install.sh was removed in v2.5.10 and the file manifest contains no install.sh. This is an inconsistency to verify but does not indicate a malicious install mechanism (no remote archives or downloads in the package).
Credentials: okThe skill declares no required binaries, env vars, credentials, or config paths. All sub-skills show example usages that, if actually executed, might require external API keys (WebPageTest, PSI) but the package does not request these secrets. That proportionality (documentation-only, no credentials required) matches the declared metadata.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable only. It does not request any agent-wide configuration changes or cross-skill credentials. Autonomous invocation (disable-model-invocation: false) is the platform default and not, by itself, a red flag here.