Skillv3.0.0

ClawScan security

OpenClaw 晴晴终极套件 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 12:22 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The bundle mostly matches its advertised purpose (an integrated OpenClaw skill suite) but contains inconsistencies and some risky choices (prompt-injection marker in SKILL.md, autonomous multi-skill activation, and unclear handling of external credentials) that you should review before installing or enabling automatic activation.
Guidance: Summary of what to do before installing/activating: 1) Inspect scripts before running: open scripts/install.sh, scripts/deploy.sh and any skills' install/start scripts to confirm they don't download or execute untrusted binaries. Run them in a VM or container if you must test them. 2) Do NOT enable AUTO_SKILL_ACTIVATION or FEISHU_NOTIFY until you audit: automatic activation will cause many subskills/agents to run and may make outbound requests or post files to Feishu. Keep automatic activation off and test skills manually first. 3) Verify credential handling: the suite references Feishu, Xiaohongshu, TikTok, and IronClaw API keys in docs but they are not declared as required metadata. Expect to be asked for tokens; don't paste secrets into prompts. Use a secrets manager (1Password) as recommended and confirm where secrets are read from. 4) Review SKILL.md and flagged content: the unicode-control-chars finding suggests possible prompt obfuscation — open SKILL.md and other agent files to ensure there are no hidden control sequences or instructions that alter prompt behavior. 5) Run local audits: use the included ironclaw_audit.py and any linter/static analysis on the repo in an isolated environment to see what the suite will do. If you have a sandboxed account, test Feishu delivery with a throwaway or test workspace. 6) Prefer manual activation & minimal privileges: start by invoking a single, low-risk skill (e.g., weather) manually and check logs (~/.openclaw/logs). Only broaden permissions after successful inspections. If you want, I can (a) highlight lines in specific scripts that look suspicious if you paste them here, or (b) produce a short checklist of file/strings to grep for (network calls, exec()/subprocess, hard-coded tokens, base64 strings, shell redirects) to help your audit.
Findings: [unicode-control-chars] unexpected: A prompt-injection detection flagged unicode control characters in SKILL.md. That pattern is not expected for normal documentation and may be used to obfuscate or manipulate prompt parsing. It warrants manual review of SKILL.md and any files concatenated into prompts before enabling automatic behaviors.

Review Dimensions

Purpose & Capability: noteThe name, description and files (many sub-skills and docs) line up with a 'suite' integration. The three required env vars (AUTO_SKILL_ACTIVATION, FEISHU_NOTIFY, IRONCLAW_AUTO_SCAN) are reasonable for controlling behavior. Minor mismatch: docs and config checklist mention API keys (e.g., IRONCLAW_API_KEY, Xiaohongshu/TikTok keys) and external tooling, but these secrets are not declared as required env vars in the top-level metadata — the suite promises Feishu delivery but does not declare the Feishu credential variables. That gap is a coherence concern (integration expected but credential requirements are not surfaced in metadata).
Instruction Scope: concernThe SKILL.md and many included docs/scripts instruct the agent to auto-activate many subskills and to run local security scans, Playwright installs, and Feishu file delivery. Automatic activation can cause the agent to spawn many agents that perform network I/O and file operations. The instructions reference system paths (~/.openclaw/logs), scanning scripts (ironclaw_audit.py), and delivery to Feishu; these are within the suite's stated scope but grant broad runtime scope. Also the SKILL.md contains a detected prompt-injection pattern (unicode control characters) which could be used to manipulate prompt parsing — that is out-of-band and should be reviewed carefully.
Install Mechanism: noteThere is no formal install spec in the registry metadata, but the package contains many executable scripts (install.sh, deploy.sh, security-scan.sh) and dozens of skill code files. Installing via 'clawhub install' will put code on disk and enable scripts; this is expected for a suite but increases surface area compared to an instruction-only skill. No evidence in the provided data of obscure remote download URLs or URL-shortened installers, but you should inspect the scripts before execution.
Credentials: noteThe required env vars are simple feature toggles rather than secrets, which is proportionate. However, the product references additional credentials (IronClaw API key, Xiaohongshu/TikTok cookies/API keys, Feishu tokens) in docs/config checklists and sub-skill READMEs without declaring them as required metadata. A suite that promises Feishu delivery but doesn't declare or document the required Feishu credential variables in top-level requires.env is an incompleteness that could hide runtime prompts for secrets or ad-hoc credential requests.
Persistence & Privilege: notealways:false (good). The skill can invoke the model autonomously (disable-model-invocation:false) — normal for skills. The combination of optional AUTO_SKILL_ACTIVATION (which enables automatic activation of many agents and potentially outbound notifications) plus Feishu delivery and crawling skills increases potential blast radius if enabled without review. Recommend not enabling AUTO_SKILL_ACTIVATION or FEISHU_NOTIFY until you audit the code and credentials.