Skillv1.2.0

ClawScan security

Birth System Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 6:51 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions diverge in important ways: it stores and can output private keys in plaintext, leaks pack passwords into migration files, and uses environment variables that the SKILL.md/metadata do not declare — these inconsistencies warrant caution before installing.
Guidance: Do NOT install this skill into a production agent without review and changes. Specific issues to consider: - generate-birth-id.js writes private_key in plaintext into ~/.openclaw/birth-info.json; this is sensitive and the README warns encryption is preferred but the code does not enforce it. Replace with encrypted storage or remove storing of raw private_key. - decrypt-wallet.js prints the private key to stdout by default (contradicts SKILL.md which promises 'NEVER show full private key'). Modify the script to never print the private key unless explicitly and knowingly requested, and avoid writing private keys to disk. - pack.js uses a default password ('default-secret-password') if none is supplied and then embeds the chosen password inside MIGRATION.md saved into the package. That effectively leaks the encryption password in the archive. Change the behavior to require an explicit password and never write it into package files or migration instructions. - The pack process includes workspace/skills/memory directories and system metadata (hostname), which can bundle arbitrary user data. Audit what will be included and add safer defaults or explicit confirmation prompts. - SKILL.md and package metadata do not declare environment variables the code actually uses (BIRTH_PRIVATE_KEY_PASSWORD, BIRTH_PACK_PASSWORD, IS_CLONE, etc.). The mismatch is misleading; update metadata and documentation to list required env vars and their security implications. - The SKILL.md contained unicode control characters (possible injection). Open SKILL.md in a hex-aware editor to ensure there is no hidden content or malicious prompt-injection text. Recommended next steps before installing: run the scripts in an isolated sandbox/container, back up ~/.openclaw/birth-info.json, remove or encrypt private_key fields, patch decrypt-wallet.js to avoid printing secrets, and change pack.js to never embed passwords into files and to prompt the user before archiving workspace content. If you cannot review and patch the code yourself, avoid installing this skill.
Findings: [unicode-control-chars] unexpected: The SKILL.md contained unicode control characters flagged as prompt-injection patterns. This is unexpected for a local management tool and may indicate an attempt to manipulate evaluation/import. Review SKILL.md content carefully for hidden/control characters before trusting it.

Review Dimensions

Purpose & Capability: concernName/description claim birth, pack/unpack, and lineage management — that is consistent with the included scripts. However the pack script includes workspace/skills/memory and system metadata (hostname/platform) when creating migration archives, which is broader than a minimal 'birth id' manager and can cause unintentional bundling of arbitrary user data. The SKILL metadata indicates no required env vars, but code relies on several (IS_CLONE, BIRTH_PRIVATE_KEY_PASSWORD, BIRTH_PACK_PASSWORD, OPENCLAW_WORKSPACE etc.), so the declared capabilities do not fully match what the code needs.
Instruction Scope: concernSKILL.md asserts 'All operations local, no network calls' and 'Passwords via env only' and promises 'NEVER show full private key' on decryption. The code contradicts this: generate-birth-id.js stores raw private_key in birth-info.json, decrypt-wallet.js prints the private key to stdout by default (unless the user sets DECRYPT_OUTPUT_TO_FILE), and pack.js embeds the pack password in the generated MIGRATION.md (leaking the password inside the package). pack.js also collects hostname/platform and may include workspace/skills/memory directories in the archive — this can unintentionally capture sensitive files. These are scope and data-handling mismatches with the SKILL.md promises.
Install Mechanism: noteThere is no external install spec (no network downloads) so nothing is fetched from unknown URLs at install time — that's lower risk. The package includes multiple Node JS scripts and implicitly requires Node modules (ethers, archiver) but the metadata only lists 'node' as a required binary; dependency installation is not declared. No extract-from-URL installs were found.
Credentials: concernThe skill metadata declares no required env vars, but the code uses and/or relies on many environment settings: IS_CLONE (behavior change), BIRTH_PRIVATE_KEY_PASSWORD (decrypt private keys), BIRTH_PACK_PASSWORD (pack encryption password; defaults to 'default-secret-password' when unset), DECRYPT_OUTPUT_TO_FILE (controls writing private key to file), OPENCLAW_CONFIG_PATH/OPENCLAW_WORKSPACE (paths). Requiring or using private-key passwords and writing/reading birth-info.json are highly sensitive actions; the lack of declared credentials and the presence of an insecure default password in pack.js are disproportionate and not properly advertised.
Persistence & Privilege: noteThe skill does not request 'always: true' and is user-invocable only — normal. It reads and writes the user's ~/.openclaw/birth-info.json and creates files under /tmp and ~/Desktop or the target dir during pack/unpack. That file I/O is expected for a birth/pack/unpack tool, but because of the sensitive nature of what it writes (plaintext private_key, encrypted backups, MIGRATION.md with password), the persistence behavior increases risk if installed without careful review.