Skillv1.0.3

ClawScan security

OpenClaw CLS Collector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 3:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (deploy OpenClaw to Tencent CLS) is coherent, but it instructs the agent to collect users' SecretId/SecretKey in-chat and to download+execute a remote installer — behavior that is risky and not fully declared in the metadata.
Guidance: This skill aims to deploy OpenClaw to Tencent CLS and legitimately needs Tencent credentials to create resources — but it asks you to paste SecretId/SecretKey into the chat and to run a remotely-downloaded installer. Before installing or using this skill: - Do not paste long-lived root or high-privilege keys into chat. Treat SecretId/SecretKey as sensitive secrets. Prefer running the provided curl command yourself in a terminal. - Verify the installer URL (mirrors.tencent.com) and, if you run it, first download and inspect the file locally (cat /tmp/cls-openclaw-setup or open in an editor) before executing. - Prefer creating a short-lived, least-privilege CAM key scoped only to the CLS resources needed, or use an isolated test account. Rotate or revoke the key after use. - If you must provide credentials to an agent, ask whether the agent will store or transmit them; avoid sharing secrets in chat with tools that don't declare secret handling. Given the mismatch between metadata and runtime behavior (no declared creds but instructions collect them) and the remote-execute pattern, proceed only if you can validate the installer and accept the risk, otherwise run the deployment locally yourself.

Review Dimensions

Purpose & Capability: noteRequesting Tencent SecretId/SecretKey and a region is consistent with creating CLS resources. However, the skill metadata declares no required credentials or env vars while the runtime instructions explicitly ask the agent to collect sensitive credentials from the user — a mismatch between declared requirements and actual instructions.
Instruction Scope: concernThe SKILL.md instructs the agent to directly prompt the user for SecretId and SecretKey in chat and then run a remote installer with those credentials. Collecting secrets via chat and transmitting them to a remote install command is broader and higher-risk than the metadata indicates. The instructions do not require the agent to inspect or validate the remote script before execution.
Install Mechanism: concernThere is no install spec in the registry; at runtime the skill downloads an installer from https://mirrors.tencent.com/install/cls/openclaw/setup.sh and executes it. While mirrors.tencent.com appears to be an official Tencent mirror, downloading and executing a remote file is inherently risky — and the doc inconsistently calls the file a binary despite a .sh extension.
Credentials: concernThe only sensitive items requested are Tencent SecretId/SecretKey, which are relevant to the task. However, those credentials are not declared in the skill metadata and the skill asks users to paste them into the chat, which is disproportionate compared with safer alternatives (e.g., asking the user to run the provided curl command locally or provide a short-lived, least-privilege key).
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and does not modify other skills or system-wide config. Autonomous invocation is allowed (platform default) but the SKILL.md requires waiting for user-provided credentials before proceeding.