Skillv1.0.3

ClawScan security

OpenClaw News Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 8:23 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, environment variables, and runtime actions match its stated purpose (scrape news, summarize via the local OpenClaw agent, and send Telegram messages); the main caution is that it executes a local openclaw.mjs process which you must ensure is trustworthy.
Guidance: This skill appears to do what it says: it scrapes configured sites, summarizes articles by calling your local OpenClaw agent, and sends messages to the Telegram chat ID you provide. Before installing or running it: (1) Verify OPENCLAW_MJS points to a legitimate OpenClaw installation you trust — the skill will execute that file. (2) Inspect scripts/watch-news.js yourself (it is included) to confirm it matches expectations. (3) Be aware OpenClaw (the target of OPENCLAW_MJS) will perform the actual Telegram sending and may have its own credentials; ensure those are configured securely and not exposing other recipients. (4) Run npm install (playwright) in a controlled environment and ensure you have the appropriate Node version and Chromium available. (5) If you want extra isolation, run the skill in an isolated user account or container so the cache and executed processes are separated from sensitive files. If you cannot verify OPENCLAW_MJS or the OpenClaw installation, do not set that environment variable or do not run the skill.
Findings: [child_process.execFileSync] expected: scripts/watch-news.js uses execFileSync to run 'node OPENCLAW_MJS ...' to call the OpenClaw agent and send messages. This is necessary for the skill's design but means the provided OPENCLAW_MJS will be executed — ensure that file is trusted. [playwright_network_fetch] expected: The script uses Playwright to visit CoinDesk and PANews to fetch pages and extract article content. Network access to those sites is required for the stated purpose. [writes_user_cache] expected: The script reads/writes ~/.openclaw/cache/news-hash.json to persist last-seen hash. That matches the documented caching behavior. [package_dep_crypto] unexpected: package.json lists an external 'crypto' dependency even though Node provides crypto built-in. This appears unnecessary but not directly malicious; may be a packaging oversight.

Review Dimensions

Purpose & Capability: okName/description (monitor CoinDesk / PANews, summarize, send Telegram) aligns with required items: the script uses Playwright to fetch pages, computes hashes, calls a local OpenClaw agent (OPENCLAW_MJS) to summarize, and uses openclaw message send to deliver to TELEGRAM_USER_ID. No unrelated credentials or services are requested.
Instruction Scope: noteSKILL.md and scripts instruct the agent to launch Playwright, read/write a local cache (~/.openclaw/cache/news-hash.json), and invoke node OPENCLAW_MJS to run the OpenClaw agent and send Telegram messages. This is coherent with the skill, but the code executes the provided OPENCLAW_MJS (arbitrary local JS) via execFileSync — that means the skill will run whatever code is pointed to by OPENCLAW_MJS, so that path must point to a trusted OpenClaw installation.
Install Mechanism: okThere is no install spec in the registry (instruction-only skill), but package.json and README expect you to run npm install to get Playwright. No remote download URLs or extract steps embedded in the skill. Dependencies (playwright) are expected for browser automation; the 'crypto' dependency is unnecessary because Node provides crypto natively, but this is not a direct security issue.
Credentials: noteRequired env vars are limited to OPENCLAW_MJS and TELEGRAM_USER_ID (plus optional CHROME_PATH and PLAYWRIGHT_HEADLESS). These map to the stated behavior. Caveat: giving the skill a path to OPENCLAW_MJS effectively grants it the ability to run that local script and any actions it performs (including sending messages using configured credentials). This is functionally necessary for the design but increases trust requirements around the provided openclaw.mjs.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and only writes to its own cache under the user's home (~/.openclaw/cache/news-hash.json). No elevated persistence or system-wide config changes are requested.