Skillv1.0.0

ClawScan security

Credential Hygiene Validator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 1:12 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required tools, and stated purpose are consistent: it performs local, read-only checks for credential hygiene in dotfiles and OpenClaw config paths.
Guidance: This skill appears to do exactly what it claims: read-only local checks for credential hygiene. Before installing or invoking it, review the SKILL.md to confirm the hard-coded paths (~/.openclaw, ~/.gitignore, logs) match what you want inspected. Be aware the grep patterns are broad and can yield false positives; test the commands manually in a safe environment first. Ensure your agent runs with the least privilege necessary (not as root) so it only examines your user files. If you want it to scan different directories, either edit the prompts or run the commands locally yourself rather than granting an agent broad access.

Purpose & Capability: noteName/description match the actions: scanning files, checking git status, and inspecting permissions. Minor inconsistency: registry metadata declares no required config paths, but the SKILL.md hard-codes ~/.openclaw and ~/.gitignore as targets — this is coherent with the described OpenClaw focus but should be declared explicitly in metadata.
Instruction Scope: okSKILL.md only runs local, read-only commands (stat, grep, git, find, ls) against the user's home dotfiles and logs. These actions are within the declared purpose (permission checks, token pattern scanning, git/gitignore checks). It does not transmit data externally. Note: the grep patterns are broad and may produce false positives and the use of grep -P (PCRE) may not be available on all platforms.
Install Mechanism: okInstruction-only skill with no install spec or code to download — lowest install risk.
Credentials: okThe skill requests no environment variables or credentials. The binaries it requires (grep, stat, git) are appropriate for the described checks.
Persistence & Privilege: okalways:false and normal model invocation settings. The skill does not request permanent presence or modify other skills/configuration.