Skillv1.1.0

ClawScan security

OpenClaw Usage Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 2:54 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions generally match its stated goal (dashboard + auto-switch), but it asks to store/handle Anthropic API tokens and to modify OpenClaw's agent auth file — behavior that is powerful and isn't declared in the registry metadata, so you should review and control it before installing.
Guidance: What to check before installing: - Inspect the repository your install will clone (the SKILL.md references a GitHub URL). Confirm the code matches what you were shown. - Understand token handling: the tool requires two Anthropic API tokens. You can use 1Password (recommended) or tokens.json (plaintext on disk). Prefer 1Password; if you use tokens.json, keep it chmod 600 and ensure the machine is trusted. - Backup ~/.openclaw/agents/main/agent/auth-profiles.json before running the auto-switcher. The checker overwrites that file to swap tokens; if misconfigured it could lock your agent or expose credentials. - Confirm dependencies: Node.js >=18 is required and the dashboard uses the 1Password CLI ('op') if you choose that setup path. The registry metadata did not declare these — the omission is a red flag. - Run the dashboard and scripts locally (not on a production machine) first and review network activity (they call api.anthropic.com and run local commands like lsof/kill). The dashboard is designed to bind to localhost only, but verify that behavior in your environment. - If you are not comfortable having a tool rewrite OpenClaw agent auth files, do not install. Consider manual switching or a version that only reads usage and reports but does not alter agent configuration. - If you decide to proceed: inspect setup scripts (setup-tokens.sh / setup-tokens-simple.sh), review how tokens are passed to child processes, and ensure your 1Password CLI is logged in and secure. Keep a copy of the original auth-profiles.json and restrict file permissions.

Review Dimensions

Purpose & Capability: noteThe claimed purpose (monitor two Claude Max accounts and auto-switch) matches the included scripts: a local dashboard that fetches usage and a checker that can swap API tokens. However the registry metadata lists no required binaries or credentials whereas SKILL.md and the code require Node.js and (optionally) the 1Password CLI and Anthropic API tokens; that mismatch is an integrity/metadata issue.
Instruction Scope: concernRuntime instructions direct the user to copy files into ~/.openclaw/workspace/tools and run setup scripts. The checker script reads tokens.json and reads/writes the OpenClaw agent config at ~/.openclaw/agents/main/agent/auth-profiles.json to swap the active token — this modifies another agent's credential file. The dashboard server executes shell commands (op via execSync, lsof/kill) and posts to the Anthropic API. Those actions go beyond innocuous monitoring and require careful review and backups.
Install Mechanism: okThere is no install spec; the package is instruction-only with code files you copy locally (git clone). No remote downloads or extracted archives are used by the skill itself. That lowers installation risk, but the registry metadata omits that Node.js/op are required.
Credentials: concernThe tool legitimately needs Anthropic API tokens for both accounts and suggests optionally using 1Password to retrieve them. Those credentials are sensitive and the skill stores them either in tokens.json (plaintext on disk, albeit with chmod 600) or accesses them via the 1Password CLI. The checker then overwrites OpenClaw's agent auth file with one of those tokens — giving the tool privilege over which account the agent uses. The registry declared no required env/credentials, which is inconsistent.
Persistence & Privilege: concernThe skill does not set always:true, but it does modify another agent's configuration file (~/.openclaw/agents/main/agent/auth-profiles.json). Per the guidelines, a skill that writes credentials/config for other agents or system-wide agent settings should be treated as higher privilege — this increases blast radius if the script is compromised or misused.