Skillv1.0.0

ClawScan security

Skill Trust Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 12:52 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its stated purpose (wrapping clawhub install and running a scanner) but has surprising implementation details — notably a hard-coded scanner path and reliance on npx/remote execution — that are incoherent or risky for general users and deserve review before installing.
Guidance: This package implements exactly what it says (wraps 'clawhub install' and runs a scanner) but contains a couple of red flags you should address before using it: (1) it expects a scanner at a hard-coded developer path (/home/guofeng/...), so by default it will fail on most machines or — if that path exists — run whatever code is there; (2) the pre-install hook uses 'npx tsx' which can fetch and run code from npm at runtime; (3) integrate.sh installs a PATH shim that will intercept all future 'clawhub install' calls. Recommended steps before installing/integrating: inspect the scanner CLI source you plan to point to (set SCANNER_ROOT/SCANNER_CLI to a trusted local copy or a vetted release), run install.sh on a harmless local skill to observe behavior, avoid running integrate.sh until you trust the scanner (or back up your clawhub binary path), and prefer bundling or referencing a released scanner package (GitHub release or published npm package) rather than relying on a hard-coded developer path. If you want a safer posture, ask the author for a packaged scanner dependency or a verified install mechanism.

Review Dimensions

Purpose & Capability: noteThe name/description (enforce a pre-install scanner) matches what the scripts do (wrapper + pre-install hook + shim). However the scanner dependency is hard-coded to /home/guofeng/clawd/skill-trust-scanner/src/cli.ts by default, which is specific to the author's environment and not explained in the metadata — this will either fail for users or cause the wrapper to run an arbitrary local script if that path exists. That hard-coded path is unexpected for a distributable skill.
Instruction Scope: okSKILL.md and the scripts are focused on scanning a skill directory and making allow/warn/reject decisions. The runtime instructions do not attempt to read unrelated system files themselves (they delegate scanning to an external scanner). The wrapper intercepts 'clawhub install' via a PATH shim as documented, which is consistent with the stated goal.
Install Mechanism: concernThere is no packaged install spec (instruction-only with scripts). The pre-install hook uses 'npx tsx' to execute a TypeScript CLI at a user-expected path; running 'npx' may fetch tools from npm at runtime if tsx is not present, which introduces network code execution. The hard-coded scanner path increases fragility and risk because the skill expects an external project present on disk rather than bundling or installing a vetted scanner from a known release host.
Credentials: okThe skill does not request credentials or config paths beyond optional SCANNER_ROOT/SCANNER_CLI overrides. It does not try to read or exfiltrate environment variables itself. The only notable env usage is allowing override of the scanner path, which is reasonable but means the scanner run will have whatever access that scanner has.
Persistence & Privilege: noteThe integrate.sh installs a shim in ~/.openclaw/bin and instructs users to add it to PATH, which gives the skill persistent interception of 'clawhub install' when that PATH entry is earlier. This is consistent with the purpose but is a behavior that can affect all future installs and should be consciously accepted by the user. The skill is not 'always: true' and does not modify other skill configs.