Skillv1.0.2

ClawScan security

Moses Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 1:08 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an on-disk, append-only audit ledger whose code and runtime instructions match its stated purpose; nothing in the package tries to exfiltrate data or access unrelated services, though there are small metadata mismatches and a mandatory logging policy you should be aware of.
Guidance: This skill appears coherent for its stated purpose: it maintains a local, hash-chained JSONL ledger and optionally produces HMAC attestations using a single operator secret. Before installing, consider: 1) Privacy: the 'detail' field is freeform—do not log secrets, PII, or keys (the SKILL.md warns this but accidental logging is possible). 2) Operator secret: MOSES_OPERATOR_SECRET is optional but used for attestations; ensure you trust the skill owner before placing a secret in your environment. 3) Mandatory logging policy: SKILL.md mandates logging before every final response — decide whether you want that enforced in your agents. 4) Metadata mismatch: the registry declares no required env vars while SKILL.md references MOSES_OPERATOR_SECRET; confirm expected configuration with the skill author. 5) Local files: the ledger and state live under ~/.openclaw — review and secure those files (permissions, backups) if they could contain sensitive metadata. If you need higher assurance, inspect the full included script locally (audit_stub.py) and test in a sandboxed environment first.

Review Dimensions

Purpose & Capability: noteThe name/description (SHA-256 chained append-only ledger, governance audit) align with the shipped script and runtime instructions: the script writes an on-disk JSONL ledger, computes SHA-256 chain hashes, and optionally creates HMAC attestations. Minor inconsistency: registry metadata at the top of the evaluation shows no required env vars, but SKILL.md metadata lists MOSES_OPERATOR_SECRET as an env; the script reads MOSES_OPERATOR_SECRET if present. This is explainable (the secret is optional for attestations) but is a mismatch between declared registry requirements and the SKILL.md.
Instruction Scope: noteSKILL.md instructs agents to append an audit entry before every final response (mandatory policy language). The instructions reference local ledger and state paths (~/.openclaw/audits/moses and ~/.openclaw/governance) and provide example invocations. The script itself only reads/writes those local files and the optional MOSES_OPERATOR_SECRET; it does not perform networking, read other system credentials, or transmit the secret. The SKILL.md warns not to log secrets — that warning is important because the freeform 'detail' field could accidentally include sensitive material. Also note minor path inconsistency in examples (one example uses ~/.openclaw/workspace/skills/moses-governance/... while shipped script path is scripts/audit_stub.py).
Install Mechanism: okNo install spec (instruction-only with an included Python script). That is low-risk compared to downloading arbitrary binaries at runtime. The package includes the audit_stub.py script; it will run locally. No external downloads or package-manager installs are performed by the skill itself.
Credentials: noteThe script optionally uses a single environment secret (MOSES_OPERATOR_SECRET) to compute HMAC attestations; this is proportionate to the claimed attestation feature. However, the registry's declared required env vars field is empty while SKILL.md lists the env var — a documentation/metadata mismatch. The operator secret is not written to disk or transmitted by the script (only an HMAC derived from it is recorded), which matches the SKILL.md claim.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It creates and writes ledger and state files under ~/.openclaw which is appropriate for an audit tool. Autonomous invocation remains possible (platform default), but that is normal and not raised by this package alone.