Back to skill
Skillv1.1.3
ClawScan security
Privateclaw Plugin Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 10, 2026, 4:27 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions largely match its stated purpose (installing and pairing the PrivateClaw plugin), but it explicitly recommends a risky install flag and instructs sharing pairing QR codes into active chats—both of which deserve caution before installing or running.
- Guidance
- This skill appears to do what it claims (set up PrivateClaw) but contains two items you should consider before proceeding: (1) it instructs using --dangerously-force-unsafe-install when installing the plugin—avoid that flag unless you fully trust and have inspected the package, or run the install in an isolated/test environment; (2) pairing returns QR/invite payloads that grant session access—do not post or re-share these QR codes in public or wrong channels. Before installing: ensure openclaw is installed, verify the plugin package and GitHub release pages yourself, prefer the registered plugin command (which returns invites via the OpenClaw reply path) over manual CLI posting, and consider testing installs in a container or sandbox. If unsure, ask the skill author for justification for the unsafe install flag or request an install method that does not bypass safety checks.
- Findings
[no_code_files_to_scan] expected: This is an instruction-only skill (SKILL.md only). The regex scanner had no code to analyze, which is expected but means there is no static analysis of any install-time code or package.
Review Dimensions
- Purpose & Capability
- okName, description, and the single required binary (openclaw) align with the skill's functionality: installing/enabling/verifying/pairing the PrivateClaw OpenClaw plugin. There are no unrelated env vars, binaries, or config paths requested.
- Instruction Scope
- concernThe SKILL.md stays on-topic for plugin lifecycle operations, but it explicitly tells operators to return pairing QR images/invite URIs into the current chat and to use the --dangerously-force-unsafe-install flag for installs. Sending QR/invite payloads to chat can leak session secrets if posted to the wrong channel; the 'dangerous' install guidance increases risk of running unverified code. The instructions do not direct the agent to read unrelated system files or external credentials.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec or code files). The recommended install command uses openclaw plugins install @privateclaw/privateclaw@latest but insists on --dangerously-force-unsafe-install as the default. That flag is high-risk because it bypasses safety checks—reasonable in some development scenarios but disproportionate as a default for general users. The guidance to prefer local checkout when present is coherent.
- Credentials
- okThe skill declares no required environment variables or credentials, which fits its purpose. Note: pairing QR codes and invite URIs are effectively secrets for session access; the skill's recommendation to post them into the current conversation means the agent/operator must be careful about recipient/context to avoid exposure.
- Persistence & Privilege
- okThe skill does not request elevated privileges, persistent 'always' inclusion, or edits to other skills' configurations. It instructs installing and enabling a plugin and restarting the OpenClaw gateway—expected for this purpose and within scope.