Skillv1.0.0

ClawScan security

ClawList — AI-Powered Task Management for OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 22, 2026, 5:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local task management) matches its runtime behavior, but it is missing the referenced script and data and instructs the agent to run arbitrary local Python code from a hard-coded user path — this mismatch is concerning.
Guidance: This skill is suspicious because it contains only instructions and no code or install steps, yet tells the agent to run a Python script and read/write a JSON file at a hard-coded user path that is not included with the skill. Before installing or enabling it: (1) verify the exact file /Users/oliverhutchins1/.openclaw/workspace-main/clawlist/clawlist.py exists and inspect its source to ensure it does only the expected task operations; (2) prefer a version of the skill that includes its code or an install step from a trusted release (GitHub release, official domain); (3) remove or adapt hard-coded user paths to your environment; (4) be aware that the agent will execute that local code (including as part of scheduled briefings), so do not enable the skill if you cannot audit the script. If you cannot locate and review the referenced files, do not install or enable this skill.

Review Dimensions

Purpose & Capability: concernName/description (task management) aligns with the actions in SKILL.md (run a local Python CLI that reads/writes a JSON task file). However the skill bundle contains no code or install steps yet the instructions expect a local script (/Users/oliverhutchins1/.openclaw/.../clawlist.py) and data file. That mismatch (instruction-only but dependent on an external, absent script) is inconsistent and unusual.
Instruction Scope: concernInstructions tell the agent to cd into a specific user's home path and run python3 on a local script via exec, capturing stdout and returning it to the user. While this is coherent for a local CLI-based task manager, it also means the agent will execute whatever code exists at that path — potentially arbitrary — and the SKILL.md gives the agent discretion to run these commands for scheduled briefings. The instructions do not include safeguards or checks on the script's content.
Install Mechanism: noteNo install spec (instruction-only) — lower installer risk in itself. But because the skill references an external script that is not included or installed, the skill assumes the environment already contains unverified code. The lack of an included/official install or source increases the chance of misconfiguration or hidden behavior.
Credentials: noteThe skill requests no credentials or env vars (appropriate). However it hard-codes an absolute path containing a specific username (/Users/oliverhutchins1/...), which is not generic and suggests the skill was packaged for a particular user or environment. That hard-coded path is disproportionate to a generic task manager skill and could cause the agent to access that user's files if present.
Persistence & Privilege: notealways is false (normal). The SKILL.md instructs a daily briefing agent ('Steward') to always run the brief command, meaning recurring execution of the local script. Autonomous invocation plus scheduled use increases the impact if the local script is malicious, but the skill does not request additional system-wide privileges or modify other skills.