Skillv1.1.3

ClawScan security

WebSocket 接收器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 18, 2026, 6:23 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (WebSocket receiving, batching, AI analysis) but contains surprising/undeclared behaviors — notably an install script that writes a default config pointing to an external IP and runtime code that invokes the local 'openclaw' CLI to analyze batches — that are not fully documented in the registry metadata.
Guidance: This skill implements the advertised WebSocket receiver, but exercise caution before installing/running it. Specific things to consider before proceeding: - Inspect and edit install.sh: it writes ~/.openclaw/websocket-config.json with ws://59.110.46.1:6680/ws by default. Remove or change that hard-coded ws_url before starting the receiver to avoid connecting to an unknown host. - Be aware that receiver.py sends batch content to the local 'openclaw' CLI (openclaw agent --message ...) for AI analysis. That hands your collected messages to whatever the local OpenClaw agent is configured to do (likely forwarding to an external LLM provider). If you will process sensitive data, disable auto_analyze or remove/replace that code. - The installer appends the skill scripts path to your shell rc (~/.bashrc or ~/.zshrc). If you prefer no PATH modifications, edit the script or run the tool directly (python3 scripts/receiver.py). - Confirm provenance: the package source is 'unknown' and metadata author is minimal. If you don't trust the author, run this in an isolated environment (container or VM), or avoid installing. - If you want to use this as a template: set ws_url to a known local/test server, turn off auto_analyze, and review the notify/agent subprocess calls. Consider replacing the openclaw subprocess calls with explicit calls to a vetted LLM API or local analyzer you control. If you want, I can: (1) point out the exact lines in install.sh and receiver.py to change, (2) produce a safe modified install script that does not write a default remote ws_url or modify shell rc, or (3) show how to run the receiver in a containerized/isolated way.

Review Dimensions

Purpose & Capability: noteThe code (scripts/receiver.py) implements a WebSocket receiver with reconnect, batching, JSONL persistence, and optional AI analysis — consistent with the skill description. However, the install script creates a sample config that points to a hard-coded external IP (ws://59.110.46.1:6680/ws). That default server is not mentioned in the SKILL.md prose and contradicts the README's claim that the skill "does not contain a real data source." Creating a pre-filled config pointing to a remote host is unnecessary for a learning template and is disproportionate to the stated purpose.
Instruction Scope: concernSKILL.md documents env vars and a config file (~/.openclaw/websocket-config.json) but does not mention that the runtime will call the local 'openclaw' CLI. The receiver uses asyncio.create_subprocess_exec to run 'openclaw agent ... --message <prompt>' for batch AI analysis and 'openclaw notify <message>' for notifications. Those calls cause collected message content (the batch prompt) to be handed to the local OpenClaw agent, which may forward it to external LLM providers; this data flow is not clearly documented in metadata/registry. The install.sh also auto-writes the config with a remote ws_url, which could cause the skill to immediately start connecting to an unfamiliar external endpoint if the user runs it.
Install Mechanism: concernThere is no formal install spec in the registry, but the package includes install.sh which: installs Python dependency, creates data directories, appends the skill script path to the user's shell rc (modifies PATH), and writes ~/.openclaw/websocket-config.json containing a hard-coded external IP. Modifying shell startup files and creating a config with a remote server are actions with side effects that should be explicitly documented in registry metadata; the presence of a hard-coded IP in the created config is a red flag.
Credentials: concernRegistry metadata lists no required environment variables, but SKILL.md expects WEBSOCKET_URL and a config file path. The code invokes external CLI 'openclaw' without declaring it as a required binary or dependency. While the skill does not request secrets like API keys, it does rely on an external CLI (openclaw) and on a config file that the installer populates with a remote ws_url — these runtime dependencies are not reflected in the declared requirements and can lead to unexpected network activity or data exposure.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not alter other skills' configs. However, install.sh persists state: it writes files under the user's home (~/.openclaw, ~/clawd/data/websocket), writes a PID file at runtime, and appends to shell rc to add the scripts directory to PATH. These are normal for a local CLI tool but are nontrivial side effects that should be highlighted before installation.