Skillv1.0.1

ClawScan security

dateguard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 4:22 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: DateGuard's code, install, and runtime instructions are coherent with a local date/time anti-pattern scanner that integrates with git hooks and optionally checks a local JWT license; nothing in the bundle appears to be trying to do unrelated or hidden work.
Guidance: DateGuard appears to do what it says: local regex-based scans and optional git-hook integration. Before installing or enabling hooks: (1) inspect the scripts yourself (they are included) to verify patterns you expect; (2) be aware that the installer writes/edits lefthook.yml and runs lefthook install in your repo which will run scans on pre-commit/pre-push and can block commits/pushes; (3) the license key (DATEGUARD_LICENSE_KEY) is required for pro/team features and can be stored in ~/.openclaw/openclaw.json or as an env var; an optional CLAWHUB_JWT_SECRET can enable local JWT signature checks but is not required and is not documented in the SKILL.md metadata — do not set secrets you don't understand; (4) run the tool in a test repo or with --no-verify workflow first to confirm it behaves as you expect. If you need higher assurance, consider running the scripts in a sandboxed environment or reviewing the complete shipped files (they are present in the bundle).

Review Dimensions

Purpose & Capability: okName/description match the implementation: scripts provide file discovery, 90 regex patterns, scoring, reports, and git hook integration. Required binaries (git, bash, python3, jq) and lefthook (brew) are consistent with cataloging files, reading config, decoding JWTs, and installing git hooks.
Instruction Scope: noteRuntime instructions and scripts operate locally on the repository or specified paths and produce text/json/html reports. The skill reads ~/.openclaw/openclaw.json (declared in metadata) and environment variables for a license. One undocumented optional env var (CLAWHUB_JWT_SECRET) is referenced by license.sh for JWT signature verification; it is only used locally for verifying a provided token, but it is not declared in requires.env or documented in SKILL.md.
Install Mechanism: okInstall uses a Homebrew formula (lefthook) which is a standard package manager flow. There are no arbitrary URL downloads or archive extraction steps in the install spec.
Credentials: notePrimary credential DATEGUARD_LICENSE_KEY is declared and used to unlock pro/team tiers; the scripts will also try to read the same key from ~/.openclaw/openclaw.json which is declared in configPaths. Aside from the declared license key and standard HOME/git environment, the code optionally reads CLAWHUB_JWT_SECRET (undeclared) to verify JWT signatures — this is not required for normal operation but worth noting.
Persistence & Privilege: noteThe skill can install lefthook git hooks (pre-commit and pre-push) into a repository and run scans on commit/push. That behavior is consistent with a git-hook integration but does modify repository configuration (lefthook.yml) and will execute the shipped scripts on normal developer workflows — review and consent are recommended before installing hooks.