Skillv1.0.1

ClawScan security

skill sec · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 6:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (inventorying skills and sending metadata or, on explicit request, source files to a Clawned server); it requests only a single API key and a python binary and does not ask for disproportionate access.
Guidance: This skill appears to do what it says: it inventories installed skills and (when you explicitly run a scan) uploads selected source/config files to a Clawned server. Before installing or enabling it, consider: - Only provide CLAWNED_API_KEY if you trust the Clawned service and its privacy/security practices (default server is api.clawned.io). Review their privacy/retention policies. - 'sync' uploads only metadata (owner, slug, displayName, commit/version). 'scan --path' will upload file contents (up to 30 files, 512KB each) — do NOT run scan on arbitrary or sensitive directories (e.g., repos containing secrets). - The agent reads ~/.openclaw/openclaw.json to find extra skill directories; make sure that file does not expose unintended paths you don't want scanned. - The script stores a local state file at ~/.openclaw/clawned_agent.json (agent id, timestamps). - If you want extra caution: run a quick code review of scripts/agent.py locally, or run the agent in a constrained environment (container) or against a test CLAWNED_SERVER endpoint before using it on production data. If you have low tolerance for uploading any project files, avoid using 'scan --path' or run scans only on copies you control.
Findings: [CRED-001] expected: The code reads ~/.openclaw/openclaw.json to obtain extraDirs (to discover skills). This pattern is flagged by the detector as credential-sensitive, but here the read is used to locate skill directories; the script does not send that file to the server. [EXFIL-004] expected: The agent contacts a remote server (default CLAWNED_SERVER=https://api.clawned.io). A domain or endpoint in the code is expected for a service that uploads metadata or scans; ensure you trust the target server before providing your API key.

Review Dimensions

Purpose & Capability: okName/description, required binary (python3), and required env var (CLAWNED_API_KEY) align with behavior in the code: the agent discovers installed skills and POSTs metadata or, on explicit scan, file contents to a Clawned server. Reading ~/.openclaw/openclaw.json to locate extraDirs is consistent with discovery functionality.
Instruction Scope: noteSKILL.md and the script keep scope consistent: 'sync' only sends metadata (owner, slug, displayName, latest.commit/version), while 'scan --path' explicitly reads up to 30 scannable files (many config/source extensions) and uploads their contents. The skill explicitly excludes .env files, but other config files (JSON/YAML/TOML, etc.) are collected on explicit scans — users should avoid scanning arbitrary/non-skill directories.
Install Mechanism: okNo install spec is provided (instruction-only + included Python script). Nothing is downloaded or installed at runtime; risk from install mechanism is low.
Credentials: okOnly CLAWNED_API_KEY is required (CLAWNED_SERVER is optional). That single credential is proportional to a service that must authenticate to a remote dashboard. The agent does read openclaw.json to find extraDirs, but it does not send that config to the server in normal operation.
Persistence & Privilege: okThe skill is not auto-included (always:false). It writes a small state file (~/.openclaw/clawned_agent.json) to store agent_id and last sync timestamps — this is reasonable for an agent. There is no evidence it modifies other skills or system-wide config.