Clawdbot Security Check
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a Clawdbot security-audit purpose, but it claims to be read-only while documenting fix commands that can change settings and expose credentials.
Review this skill carefully before installing. Use it only if you are comfortable with Clawdbot reading its local configuration and credential-related paths. Avoid the documented --fix mode unless you have backups and the agent shows exactly what it will change. Ask the agent to redact tokens and secrets from any audit output.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust the audit as read-only and then run a documented command that changes their Clawdbot settings or file permissions.
The same artifact tells users the skill never modifies configuration while also documenting a mode that modifies configuration and permissions.
“100% Read-only - Only audits; never modifies configuration” ... “The `--fix` flag applies these guardrails: - Changes `groupPolicy` ... - Resets `logging.redactSensitive` ... - Tightens permissions...”
Remove the read-only claim or remove the fix mode. If fixes remain, clearly label them as mutating, require explicit user confirmation, show a diff, and provide backup or rollback steps.
The agent could be guided to run shell-based remediation commands that persistently alter local Clawdbot behavior.
The skill requests shell execution capability and documents a mutating fix path, which is not adequately scoped by the read-only safety framing.
“requires":{"files":["read"],"tools":["exec","bash"]}” ... “clawdbot security audit --fix — Apply guardrail remediations”Constrain the skill to read-only commands by default. Put all shell-based fixes behind explicit user approval, exact command preview, and documented scope.
Secrets or authentication-related configuration could appear in the conversation, logs, or audit output.
The audit targets local credential and auth-profile locations, and the environment-variable check can print the actual gateway token value rather than only verifying that it exists.
“env | grep CLAWDBOT_GATEWAY_TOKEN” ... “Auth profiles | `~/.clawdbot/agents/{agentId}/auth-profiles.json`”Use presence checks that do not print secret values, redact tokens by default, and ask the user before reading any credential or auth-profile file.
If a user expects npm-style scripts to run, the referenced code is not available for review in this artifact set.
The package metadata references a JavaScript entrypoint that is not present in the supplied files, creating an inconsistency even though the registry describes this as instruction-only.
“scripts": { "start": "node security-check.js", "start:json": "node security-check.js --json" }Remove unused script entries or include and review the referenced file so the package contents match the declared behavior.