Skillv1.2.5

ClawScan security

Claude Code Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 7:46 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match its stated purpose (launching background Claude Code tasks and delivering results), but it reads local OpenClaw config/session files and uses a 'claude' CLI with a flag that bypasses permission checks while not declaring those config paths, credentials, or required binaries — this mismatch and the permission-bypassing behavior are concerning.
Guidance: Before installing or running this skill: - Inspect ~/.openclaw/openclaw.json yourself — the scripts read it for a gateway token (not declared in metadata). If you don't want the skill to access that token, do NOT run the scripts. - Be aware run-task.sh calls an external 'claude' binary and uses --dangerously-skip-permissions (this bypasses permission checks and may allow the invoked agent to access web/file resources). Ensure you trust the 'claude' CLI and understand what it will do. - The skill will write persistent files (~/.openclaw/claude_sessions.json, PID files) and create /init or git repos in project directories; run it in an isolated/test environment first if you want to limit side effects. - The code posts messages to a local gateway (http://localhost:18789) and will send notifications/heartbeats to Telegram/WhatsApp sessions resolved from local session data — confirm you want task content and partial outputs sent to those targets. - If you intend to use it, consider creating a dedicated OpenClaw gateway token with limited scope or running the skill on a VM/container to limit access to your main environment. - If you want this skill but are uncomfortable with automatic reads of ~/.openclaw, request the author add explicit requires.config or requires.env metadata (declaring the exact config path/token) and remove/justify --dangerously-skip-permissions.

Review Dimensions

Purpose & Capability: concernThe skill claims to launch Claude Code async and deliver results to Telegram/WhatsApp, which fits the provided scripts. However the metadata declares no required config paths or credentials while run-task.py and run-task.sh read ~/.openclaw/openclaw.json for a gateway auth token and local session files (~/.openclaw/agents/...), and the shell script calls an external 'claude' binary. Those config/credential accesses and external binary requirements are not declared in the registry metadata and therefore mismatch the stated requirements.
Instruction Scope: concernSKILL.md and the scripts instruct the agent/operator to read/write local files, query sessions_list and sessions_send via a local gateway, create project dirs, initialize git if missing, write prompts to temp files, and send periodic heartbeats to chat targets. run-task.sh invokes 'claude' with --dangerously-skip-permissions (bypassing permission checks). The instructions thus direct reading sensitive local config, persistent writes (~/.openclaw/claude_sessions.json, PID files, /tmp outputs), and network calls to localhost gateway — all of which are broader than the metadata declares and may expose secrets or allow unintended actions.
Install Mechanism: noteThere is no install spec (instruction-only plus shipped scripts), so nothing is automatically downloaded during install (low install-time risk). However the code expects external components (Python requests, the 'claude' CLI) and will execute bundled Python scripts — those dependencies and required binaries are not declared. That creates a runtime coherence problem (missing declared dependencies).
Credentials: concernThe skill reads gateway auth token from ~/.openclaw/openclaw.json and inspects session files under ~/.openclaw/agents to resolve routing. The registry metadata lists no required env vars or config paths; requesting access to a gateway token and local session data is sensitive and not justified in the metadata. The scripts also send content (task outputs and heartbeat messages) via the gateway: this may leak task text or outputs to external recipients and is proportional only if the user expects messaging to those sessions.
Persistence & Privilege: noteThe skill creates persistent files (~/.openclaw/claude_sessions.json, PID files, /tmp output files) and launches background processes via nohup. always:false (normal). It does not appear to modify other skills or global agent settings, but it does establish persistent registry entries and background heartbeats which increase ongoing presence and operational footprint.