Skillv1.0.4

ClawScan security

ClawGuard | Anti-Malware Scanner & Honeypot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 1:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested permissions and instructions align with its stated purpose (local honeypot/IDS), it has no install step or external dependencies, and it enforces a user-approval policy for shell actions.
Guidance: This skill is internally consistent with its stated purpose: it will run periodically, create and monitor files inside ~/.openclaw/, and alert you when it sees suspicious skill files. Before installing, be aware that: - It will create a honeypot file (~/.openclaw/workspace/routing_config_backup.json) containing fake tokens; review or remove that file if you don't want decoy secrets on disk. - It requests shell permission, but the skill metadata requires you to approve any shell actions explicitly — do not approve shell commands unless you understand the exact command and why it is needed. - There is no source repo or homepage provided (author identity is unknown) — lack of upstream code makes independent verification harder. If you rely on this for protection, consider manually reviewing the files it creates and testing that your platform enforces the require_approval policy. Overall: coherent and appropriately scoped, but exercise standard caution because the author/source are not verifiable and the honeypot behavior places decoy tokens on your filesystem.

Review Dimensions

Purpose & Capability: okThe name/description (local IDS + honeypot) matches the requested capabilities: local_read and local_write to place and inspect honeypot files, notify to alert the user, and shell access listed but gated by an approval policy. No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope: noteRuntime instructions are narrowly scoped to ~/.openclaw/ (create a honeypot file, scan ~/.openclaw/skills/ for suspicious patterns, and notify the user). This is coherent. Minor note: the skill asks to populate a file with 'dummy internal system tokens' — while intended as bait, that will place fabricated secrets under ~/.openclaw/ and could be detected/used by other tools; user should understand and consent to the creation of such decoy data.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written at install time by the skill itself. This is the lowest-risk install model.
Credentials: okNo environment variables, credentials, or external service tokens are requested. The permission set (local_read, local_write, shell, notify) is proportionate to a local honeypot/IDS; shell is present but explicitly constrained by a require_approval policy in the metadata.
Persistence & Privilege: notealways:false (normal). The skill includes a cron heartbeat metadata entry and requests local filesystem and shell permissions to operate periodically; this is expected for an IDS. The requirement that shell commands be subject to require_approval mitigates autonomous destructive actions. Confirm your platform enforces the require_approval policy as intended before granting shell approval.