Skillv1.0.0

ClawScan security

Sumo Assign Tasks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 1:45 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally coherent and does what its name/description say (toggle a stored assignment method), but it has implementation issues (a hardcoded Windows user path and minor string/casing bugs) and lacks provenance.
Guidance: This skill appears to do what it claims: toggle and persist a task-assignment method. Before installing or using it, consider these points: - The Python script hardcodes a Windows path (C:\Users\rayray\...); on your machine this path may not exist or may be inappropriate. The script will try to create that directory. If you don't want files created under that path, edit assign_tasks.py to use a portable path (e.g., os.path.expanduser('~/.openclaw/...') or an OpenClaw-configured directory). - There are small bugs/inconsistencies (method name casing and display strings) that may cause the displayed “active” marker to be incorrect; this is a functionality bug, not a security indicator. - The package has no publisher homepage or provenance information. If you need stronger assurance, ask the publisher for source/origin or run the script in a safe/test environment first. - If you plan to run this on a non-Windows OS, update the CONFIG_PATH to a suitable location. If you are comfortable editing the small script to make the path portable and correcting the casing, the skill is low-risk. If you prefer not to edit files yourself, avoid installing until the maintainer provides a portable config-path or provenance.

Review Dimensions

Purpose & Capability: okThe skill's name and description match the included code and SKILL.md: both implement switching and persisting an assignment method among three options. No unrelated credentials, binaries, or network access are requested.
Instruction Scope: noteSKILL.md stays on task and documents the command and where settings are stored. It explicitly instructs storing config at a path (C:\Users\rayray\.openclaw\workspace\memory\assign_method.json), which matches the Python script. This is expected behavior for a configuration toggle but is non-portable and embeds a specific username.
Install Mechanism: okNo install spec or external downloads; the skill is instruction + a small local Python script. There are no external dependencies or extract/install steps.
Credentials: okThe skill requires no environment variables, credentials, or config paths beyond its own config file. No secrets or unrelated service access are requested.
Persistence & Privilege: notealways:false and no autonomous privilege escalation. The script reads/writes a config file under a specific user profile path (hardcoded). Writing to that path is the only persistence; it does not modify other skills or system-wide config. Hardcoding a personal Windows path and casing mismatches in method names are implementation concerns.