Skillv2.0.0

ClawScan security

Pre Publish Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 8:57 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (pre-publish repo audits) but there are a few mismatches and risky operational behaviours you should understand before installing (undeclared CLI dependency, interactive blocking hooks, and some brittle state handling).
Guidance: This skill appears to implement the pre-publish audits it advertises, but review the following before installing: - Confirm your environment provides the openclaw CLI: audit.sh uses 'openclaw sessions spawn' but 'openclaw' is not listed in required binaries. If openclaw is missing the hook/orchestrator will fail. - Expect the installer to write a pre-push hook into each repo's .git/hooks/pre-push; that hook will run the audit and can block pushes. Test the hook in a disposable repository first. - The scripts prompt interactively on HIGH issues (read -r response). That may hang non-interactive environments (CI). If you plan to run in CI, remove/adjust interactive prompts or run a non-interactive mode. - The tool writes state under $HOME/.openclaw/workspace/skills/pre-publish-security and stores reports in /tmp; verify you are comfortable with these files and their retention. - There are some fragile implementation details (jq updates to counters may fail if state keys are absent), so run the scripts manually to observe behavior before enabling automatic hooks/cron. - Audit network behaviour for your use: npm audit and safety (if used) perform network lookups; the tool itself does not appear to exfiltrate findings to remote endpoints, but audit.sh will spawn subagents via the openclaw CLI which will execute the included agent tasks — inspect those task templates and ensure you trust the local openclaw runtime. If you lack confidence in any of the above, review the shipped scripts line-by-line or run them in a sandboxed/test repository. If you proceed, remove interactive prompts or configure non-interactive operation for CI environments.

Review Dimensions

Purpose & Capability: noteThe scripts and agent task files implement repository scanning, history scans, dependency checks, and hook installation which aligns with the skill's description. However, audit.sh invokes the external CLI command openclaw (openclaw sessions spawn) but the binary 'openclaw' is not declared in the required binaries list. If the runtime does not already provide this CLI, the orchestrator portion will fail. Otherwise the overall requested capabilities are proportionate to the described purpose.
Instruction Scope: concernThe runtime instructions and scripts install a Git pre-push hook that will run the audit and block pushes on CRITICAL/HIGH issues — this is expected for the stated goal but is high-impact. The pre-push hook runs audit.sh which spawns subagents via the openclaw CLI; if that CLI is present it will execute generated agent tasks. Several scripts (audit-simple.sh and audit.sh) prompt interactively on HIGH issues (read -r response), which can hang non-interactive workflows/CI or surprise users. The agent task definitions claim to consider credential stores (e.g., ~/.git-credentials) in descriptions, but commands operate inside the provided target path; they do not appear to scan user home files unless the repo path includes them.
Install Mechanism: okThis is instruction-only with bundled shell scripts; there is no remote download/install step beyond an apt suggestion for jq in SKILL.md. No external archives or short URLs are fetched. Risk from install-time network downloads is low.
Credentials: noteThe skill requests no secret environment variables and primarily reads/writes files in the user's repo and its own state under $HOME/.openclaw/workspace/skills/pre-publish-security. That is proportionate for a repo scanner. It will call optional tools (npm, safety, shellcheck) if present; npm audit/safety may perform network operations. The skill does not itself declare or require credentials, nor does it explicitly exfiltrate data to external endpoints.
Persistence & Privilege: noteThe tool installs Git hooks (modifies .git/hooks/pre-push) and writes a state file under ~/.openclaw/workspace/skills/... which is expected behavior for a repository hook/auditor. It is not always:true and does not modify other skills' configs. Because it can block pushes, users should be aware of the high operational privilege implicit in installing pre-push hooks.