Skillv1.0.0

ClawScan security

Security Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local OpenClaw security audit) is plausible, but the runtime instructions require cloning and executing scripts from a remote GitHub repo (and call tools like git) that are not declared in the metadata — this mismatch and the implicit remote-code-execution risk warrant caution.
Guidance: This skill points your agent to clone and execute a GitHub-hosted audit toolkit, but the registry metadata does not declare 'git' or the remote-download step. Before installing or running: (1) manually inspect the repository (https://github.com/sunt23310-ops/openclaw-security-audit) yourself to confirm the scripts do what they claim; (2) prefer running the audit in an isolated environment (container, VM, or throwaway account) so arbitrary scripts can't access your main files; (3) verify any fix scripts before consenting and back up configs; (4) expect the audit to read local config files and histories — only proceed if you're comfortable with that level of access; (5) ask the maintainer why 'git' and the remote-clone step are not declared in the skill metadata and request the code be bundled or the install step explicitly listed. If you cannot review the repo, treat this skill as high-risk.

Review Dimensions

Purpose & Capability: concernName and description match the checks described in SKILL.md and the declared binaries (bash, curl, python3) are reasonable for a local audit. However, the runtime instructions require git cloning and executing scripts from ~/openclaw-security-audit, yet 'git' is not listed in required binaries and the registry metadata does not declare the external repository download as part of install. That omission is an incoherence: installing/executing a remote audit suite typically requires git or another downloader and should be declared.
Instruction Scope: concernSKILL.md instructs the agent to clone a GitHub repo and run multiple bash scripts that will inspect gateway binding, credentials, channel policies, tool sandboxes, network/IP checks (including optional queries to Shodan/Censys), and macOS system state. The doc claims read-only by default and prompts before external queries/fixes, but because there are no bundled code files the actual behavior depends entirely on the external repo. The instructions implicitly allow executing arbitrary remote scripts which may read sensitive files (configs, shell history) — the scope is broader than the metadata declares and grants the agent discretion to run downloaded code.
Install Mechanism: concernRegistry metadata lists a brew formula for python3 only. The SKILL.md uses git clone from GitHub to fetch the audit toolkit and then runs its scripts. Fetching and executing code from a remote repository is higher risk than a pure instruction-only skill; although GitHub is a known host (better than an arbitrary IP/shortener), the metadata does not document this download step or require 'git' as a binary, so the install/run mechanism is inconsistent and needs explicit declaration or code bundled with the skill.
Credentials: noteThe skill declares no required credentials or env vars, which is appropriate for a local audit. However, the audit scripts referenced (credentials checks, permission fixes, gateway fixes) will likely read local configuration files and may prompt for or require access to tokens/configs during fixes. Because the actual scripts are external, the skill's lack of declared credential requirements is acceptable but incomplete — users should expect on-run prompts and local-file reads.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent privileges in metadata. It documents that fix scripts require explicit user confirmation before making changes. There is no evidence it modifies other skills or system-wide agent settings on its own.