Self-Check Enhanced
PassAudited by ClawScan on May 8, 2026.
Overview
This appears to be a legitimate OpenClaw self-check tool, but it runs local diagnostic commands and may inspect whether API tokens are configured.
This skill is reasonable for manual OpenClaw health checks. Before using it, verify the package identity/version, run it only in the intended OpenClaw workspace, and do not blindly execute suggested repair commands or share reports that might reveal local configuration details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the self-check will execute local commands on the user's machine to inspect the OpenClaw environment.
The helper runs local shell commands for diagnostics such as checking node, npm, processes, and ports. The commands shown are purpose-aligned and not destructive, but shell execution is still a capability users should notice.
def run_cmd(cmd: str, shell: bool = True, timeout: int = 30) ... subprocess.run(cmd, shell=shell, capture_output=True, text=True, timeout=timeout)
Run it only when you want a local diagnostic scan, and review any suggested repair command before executing it yourself.
The scan may learn whether credentials are configured, although the artifacts say it should not reveal the credential values.
The skill discloses that it checks whether API keys are present in environment variables or config files. It also states that token values are not displayed, which keeps this purpose-aligned but still sensitive.
### 7. API Token - [ ] 环境变量中的 API key - [ ] 配置文件中的 API key(不显示值) ... 敏感信息(如 token)只显示是否配置,不显示值
Confirm that reports only show credential presence, not secret values, especially before sharing self-check output with others.
Users may have less certainty that the packaged helper corresponds exactly to the registry entry they intended to install.
The embedded metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version. This looks like a packaging/provenance inconsistency rather than proven malicious behavior.
"ownerId": "kn7fj2fgxtxrga7nksyk0kega581wmhv", "slug": "self-check", "version": "1.0.0"
Verify the publisher and version before installing or running the helper, particularly because the source and homepage are not provided.