Skillv1.0.0

ClawScan security

Agent Audit Shield · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 2:26 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The SKILL.md advertises real-time OS/LLM interception and a TUI approval workflow but contains no code, no install steps, and no declared permissions—the claimed capabilities do not match the actual artifact.
Guidance: This package is marketing copy without implementation: it promises real-time OS/LLM interception, blocking, and a TUI but provides no code, installers, or permissions to do that work. Do not rely on it for protection. Before installing or running anything: ask for the source repository and reviewed code, a clear install procedure, the exact binaries/services that will be installed, what system privileges are required, how payment is handled, and an explanation of how it enforces network/file policies. If the author cannot produce verifiable source and a reproducible build, treat the skill as non-functional (or potentially malicious if later bundled with opaque installers) and do not grant elevated privileges or send secrets to it.

Review Dimensions

Purpose & Capability: concernThe skill claims to act as a 'Sovereign Interceptor' that blocks exfiltration and prevents rm -rf outside workdirs, yet there are no code files, no required binaries, no install spec, and no declared system privileges. Those capabilities would require binaries, kernel/network hooks, or helper services; none are provided or requested, making the claimed purpose unsupported by the package contents.
Instruction Scope: concernSKILL.md is high-level marketing prose and a single usage example (npx openclaw skill run agent-audit-shield --hardened) but contains no runtime instructions for how to intercept LLM↔OS traffic, perform heuristic analysis, present a TUI, or enforce network policies. The instructions are vague and grant broad, undefined authority without specifying which files, paths, or system interfaces will be read or modified.
Install Mechanism: noteThere is no install specification or code—this minimizes direct disk/write risk but also means the skill cannot actually implement the security features it advertises. The lack of an install step is inconsistent with the claimed runtime behavior (TUI, real-time blocking), which would normally require installing a helper binary or service.
Credentials: noteNo environment variables, credentials, or config paths are requested, which is proportionate from a least-privilege perspective. However the metadata includes a payment fee in USDC without explaining how payments are collected or authorized — that mismatch should be clarified before trusting the skill to handle paid sessions.
Persistence & Privilege: concernThe skill's description implies privileged, persistent interception of agent behavior and system-level enforcement, but the package does not request or document any such privileges. This is misleading: either the skill cannot provide the promised interception, or it requires elevated privileges that are not disclosed.