Skillv1.3.2

ClawScan security

Clawd Zero Trust · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 5:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a Zero Trust hardening tool for OpenClaw, but it performs privileged system changes (firewall, iptables, OpenClaw config), touches agent config and plugin files, and ships elevated exec settings that you should review before applying.
Guidance: This skill implements a powerful, coherent Zero Trust workflow but performs privileged changes — review before enabling mutating modes. Before you run --apply or enable automatic use: - Run everything in dry-run/audit mode first: bash scripts/audit.sh and bash scripts/egress-filter.sh --dry-run and --status. - Backup your OpenClaw config and current firewall rules (openclaw.json and iptables-save / UFW state). The scripts create backups, but keep your own copy. - Inspect config/providers.txt and config/custom-providers.json to ensure only expected endpoints are allowlisted. Verify api.agentsandbox.co and any Telegram/GitHub entries are acceptable. - Examine hardening.json, specifically tools.exec (security: "full", ask: "off") and tools.elevated.allowFrom (Telegram IDs). If you do not want host-level exec without prompts or Telegram-triggered elevated operations, change these before applying. - Use plugin-integrity.sh --snapshot to establish a baseline, and review plugin-hashes.json before running --verify. - Prefer manual invocation for the first run, avoid cron/unattended applies until you’ve validated the behavior in a staging instance. - Because mutating operations require root, run the scripts only on systems where you can safely recover and where UFW/iptables changes are acceptable. If you want further assurance, request a short audit of the specific network calls the scripts will make (e.g., snapshot of curl/openssl invocations) and a review of any code paths that perform outbound POSTs (the repo documents an OAuth flow for agentsandbox).
Findings: [SCAN-1] expected: Mentioned in scripts/changelog as an audit-fix: the code replaced eval usage with direct execution to avoid dynamic-eval heuristics. This is consistent with UFW arg execution and is expected for an auditing/firewall tool. [SCAN-2] expected: References to api.agentsandbox.co appear in comments and the false-positives doc; the project documents this as first‑party OpenClaw infrastructure and as an OAuth/key-generation flow. Outbound calls to this host are therefore expected, but you should verify the exact call semantics before allowing mutating modes. [SCAN-3] expected: Changelog notes rename of integrity function to avoid heuristic flags (sets-process-name). This is cosmetic and consistent with tamper-detection logic; expected for integrity-checking code. [SCAN-4] expected: Changelog notes renaming of a debug string to reduce scanner heuristics; expected and not functionally significant. [FINDING-1] expected: verify-all mode requires curl/openssl/nc — the scripts document and check for these dependencies. Network probes and protocol checks are expected for provider verification.

Review Dimensions

Purpose & Capability: okName/description match the actual artifacts: scripts implement egress whitelisting, plugin hashing/allowlisting, PLP config, and hardening of OpenClaw. The requested operations (UFW/iptables, openclaw.json merges, plugin checks, DNS-based allowlist) are coherent with the stated Zero Trust purpose.
Instruction Scope: noteSKILL.md directs the agent/operator to run multiple scripts that read system logs (/var/log/ufw.log, journalctl), read/write OpenClaw config (~/.openclaw/openclaw.json), enumerate plugin files (~/.openclaw/extensions), and contact allowed external endpoints for verification. These are expected for a hardening tool, but they give the skill broad read access to agent state and allow network probes and outbound checks; run in dry-run/audit mode first.
Install Mechanism: okNo install spec (instruction-only plus scripts present) — nothing is downloaded from third-party URLs at install time. The scripts rely on common OS packages (ufw, dig, curl, openssl, nc, python3) which is proportionate to their behavior.
Credentials: concernThe registry metadata lists no required environment variables, but the scripts read local OpenClaw configuration, plugin files, and may look up OPENCLAW_AGENT_DIR / openclaw.json; these files can contain tokens/credentials. hardening.json contains settings (tools.exec: security: "full", ask: "off" and tools.elevated.allowFrom: Telegram IDs) that reduce interactive confirmation and allow elevated execution from a channel — this increases risk and should be explicitly reviewed before enabling --apply modes. Contacting api.agentsandbox.co for key creation is documented inside the references; that behavior is plausible but warrants inspection if you don't expect new API key generation.
Persistence & Privilege: noteMutating operations (--apply/--canary/--refresh) explicitly require root and modify firewall/iptables and OpenClaw configuration (shallow-merge hardening.json into openclaw.json). The skill is not force-included (always:false). Autonomous invocation is allowed by default (normal for skills); consider the interaction of that default with elevated 'ask: off' settings in the hardening overrides.