Skillv6.8.20

ClawScan security

Antivirus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 4:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches its behavior (an OpenClaw security plugin), but the runtime instructions reference local credential paths, node scripts, and the OpenClaw CLI without declaring those dependencies — that mismatch and the fact installation will download/enable external code justify caution.
Guidance: This skill appears to be a wrapper/integration for the MoltGuard OpenGuardRails plugin — that is coherent with its description. However: (1) the SKILL.md tells you to run 'openclaw plugins install' and Node scripts but doesn't declare those binaries as required — make sure OpenClaw and Node are installed and that you trust the plugin source before running install. (2) The instructions reference saving and showing API keys and reading files under ~/.openclaw — installing the plugin will place code and credentials under your home directory and may run scripts that contact external endpoints (the public Core or an enterprise Core URL). Review the plugin repository (the GitHub link in the SKILL.md) or inspect the installed files before granting it access to sensitive data. (3) Be cautious about using enterprise-enroll commands that point the agent to custom Core endpoints (these will transmit credentials to that endpoint). If you trust OpenGuardRails and will inspect the plugin code or run installation in a contained environment, the risk is reduced; otherwise treat this as potentially sensitive and verify the plugin first.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a security/guardrail plugin and all instructions revolve around installing and using a MoltGuard plugin for OpenClaw, which is consistent with the description. However, the skill does not declare required binaries even though the instructions call out 'openclaw plugins install' and 'node ...' commands — a mild coherence gap. No unrelated services or unexplained credentials are requested.
Instruction Scope: concernRuntime instructions tell the agent to read a local sample file (~/.openclaw/extensions/moltguard/samples/test-email-popup.txt), save credentials under ~/.openclaw/credentials/moltguard/, run node scripts under ~/.openclaw/extensions/moltguard/scripts/, and display API keys/quota via /og_status. Those actions access local config/credential paths and run local scripts, which are reasonable for a plugin but involve sensitive data and filesystem access; the skill doesn't explicitly declare or justify that access inside its metadata.
Install Mechanism: noteThe skill is instruction-only (no install spec). Installation is delegated to the OpenClaw plugin system via 'openclaw plugins install @openguardrails/moltguard' — this will download and install external code at runtime. That's expected for a plugin, but because the SKILL.md itself doesn't include or audit the plugin code, users are installing external code implicitly; the install source is the OpenGuardRails project (GitHub link provided), which reduces but does not eliminate risk.
Credentials: concernThe manifest declares no required environment variables or credentials, yet the instructions explicitly reference API keys, claiming credentials will be stored under ~/.openclaw/credentials/moltguard/ and showing /og_status that reveals an API key and quota. The skill will therefore interact with and surface sensitive credentials without declaring them in metadata — a proportionality/documentation gap that users should be aware of.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable only; it does describe storing credentials and placing scripts under the user's OpenClaw extension directory, which is normal for a plugin. Autonomous invocation is allowed (default), but that is expected for skills and not by itself a red flag here.