Skillv1.0.1

ClawScan security

Skill Build Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 2:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is generally coherent for a developer-facing 'skill builder', but its instructions say the agent may read .env / environment variables / openclaw.json without declaring those as required—this mismatch and the fact it will edit files in your workspace merit caution.
Guidance: This helper is plausibly what it claims (a tool to scaffold and review SKILL.md), but it has two things to watch: (1) SKILL.md tells the agent it may read .env, environment variables, or openclaw.json to avoid hardcoding secrets, yet the skill declares no required env vars—ask the author to either declare which envs it will read or remove that guidance so it cannot access secrets unexpectedly; (2) the agent will read and modify files under ~/workspace/skills/ (and may run shell commands via exec blocks) — back up your workspace, run it in a sandbox or dedicated project directory, and require explicit confirmations before applying changes. If the author provides a revised SKILL.md that explicitly lists any environment variables it will read (or states it will never read secrets), and documents the exact commands it will run when applying fixes, I would raise fewer concerns.

Review Dimensions

Purpose & Capability: noteName/description match the behavior: scaffolding a skill directory, producing SKILL.md/README.md, and running a checklist are expected for a 'skill build helper'. Declaring jq as the only binary is reasonable for parsing JSON metadata. However, the SKILL.md explicitly instructs reading env vars, .env, or openclaw.json for secrets/metadata but the skill declares no required env variables—this is an inconsistency.
Instruction Scope: concernInstructions ask the agent to read and modify SKILL.md, README.md, and to scaffold files under ~/workspace/skills/ and references/. That is appropriate for a builder tool, but the runtime instructions also permit reading .env and other local config (openclaw.json) which could expose secrets. The SKILL.md relies on running shell commands via exec JSON blocks, which can execute arbitrary commands when applied.
Install Mechanism: okInstruction-only skill with no install spec and no code files — low risk from installation. Requiring jq is reasonable and declared in frontmatter and README.
Credentials: concernThe skill declares no required environment variables, yet the guidance explicitly permits reading env vars, .env, or openclaw.json via jq. If the agent reads those files/envs at runtime it may access sensitive credentials without having declared them; the skill should either declare required envs or explicitly state it will not read secrets.
Persistence & Privilege: notealways:false (normal). The skill is allowed to modify files in the user's workspace (scaffolding and applying approved fixes). That is expected for a builder tool but increases risk if the agent is granted autonomous invocation and broad file access; the skill does require explicit confirmation before state changes per its checklist, which mitigates risk if followed.