Skillv1.0.1

ClawScan security

Skill Blocker - 安全守卫 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 7:44 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with a 'blocker' purpose, but it requires the ability to read and modify other skill files and global config (a high‑privilege capability) — review and limit those powers before installing.
Guidance: This skill appears to do what it says: scan for risky patterns and disable dangerous skills. Before installing, confirm you accept that it will read and modify other skill files and write global blocklist/log files in your home/config directories. Recommended precautions: 1) Back up your ~/.openclaw/skills and config; 2) Run the skill in an environment where it has only the minimum filesystem permissions needed; 3) Prefer manual invocation (do not grant autonomous invocation if your platform allows toggling); 4) Audit its actions (inspect memory/blocked-*.log and global-blocklist.json) and keep change history; 5) If possible, require explicit user approval for any automatic disabling of other skills. If you need higher assurance, request the author add safe-guards (dry-run mode, explicit consent prompts, or an allowlist) or review the implementation code (currently there is none bundled).

Review Dimensions

Purpose & Capability: okName/description match the instructions: the skill is an instruction-only 'safety gate' that scans SKILL.md and skill bundles for risky patterns and can disable/blacklist dangerous skills. It does not request unrelated credentials or binaries.
Instruction Scope: noteThe SKILL.md explicitly instructs scanning other skills' SKILL.md and scripts/ directories and provides commands to rename/disable skill folders and add entries to a global blocklist. Those actions fit a blocker role, but they grant the skill broad discretion to inspect and modify other installed skills and to write audit logs under 'memory/*'.
Install Mechanism: okInstruction-only skill with no install spec, no downloads or third-party packages. This minimizes supply-chain risk.
Credentials: noteThe skill requests no environment variables or credentials (good). However the runtime behavior assumes write/read access to user config and skill directories (e.g., ~/.openclaw/skills, ~/.openclaw/config/global-blocklist.json, memory/blocked-*.log). Those filesystem accesses are necessary for its function but are sensitive and should be made explicit to the user/operator.
Persistence & Privilege: concernAlthough not 'always:true', the skill's documented actions include modifying other skills (renaming/disabling folders) and editing a global blacklist — operations that change system/agent state beyond the skill's own files. That is a high-privilege capability that can be legitimately required for a blocker, but it also increases misuse risk and should be limited, logged, and gated by human approval.