Skillv1.0.1

ClawScan security

Dynamic Skill Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 4:15 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions align with its stated purpose (managing local OpenClaw skills); it doesn't request unrelated credentials or external installs, but there are a few implementation issues and operational cautions you should review before enabling it.
Guidance: This skill appears to do what it claims — manage and remove local skills — and it does not request unrelated credentials or external downloads. Things to consider before installing or enabling autonomous use: - Back up your ~/.openclaw/workspace/skills and registry before running uninstall/sync operations, because uninstall will remove directories with shutil.rmtree. - Usage logs (context strings) are written to ~/.openclaw/workspace/.skill-manager/usage-log.jsonl unencrypted; avoid sending sensitive user data into the track command or consider rotating/clearing logs. - There is a subtle implementation issue: the code calls Path.resolve() before checking for symlinks, so the intended symlink check may not always detect certain symlink attack patterns. Also consider TOCTOU race conditions between path checks and deletion. If you plan to use this in a multi-user or adversarial environment, ask the author to patch the uninstall logic (check is_symlink on the non-resolved path or inspect path components with lstat; perform atomic checks and removals or require extra confirmation for risky operations). - Consider disabling autonomous model invocation for this skill or requiring explicit user confirmation for uninstall operations to reduce the risk of accidental or automated deletions of skills (especially when using the --force option which overrides system-skill protection). If you want higher assurance, request the complete, untruncated source and ask the author to demonstrate fixes for the symlink/TOCTOU concerns and to add an explicit user confirmation step for destructive actions.

Review Dimensions

Purpose & Capability: okName/description match what the code and SKILL.md do: enumerate, track, find idle skills, archive and uninstall skills under ~/.openclaw/workspace/skills. Only python3 is required and no unrelated services or credentials are requested.
Instruction Scope: noteInstructions and script operate only on local OpenClaw paths (registry, usage log, skills directory). They perform destructive actions (shutil.rmtree on skill directories) which is expected for an uninstall tool, and they log usage context to disk. This matches the stated functionality, but the script stores usage/context locally (unencrypted) and can remove skill directories — the user should be aware that invoking uninstall will irrevocably delete skill files unless archived/backed up.
Install Mechanism: okNo external install or remote download steps; it's an instruction-only skill with an included Python script. Nothing is fetched from arbitrary URLs or package registries.
Credentials: okNo environment variables, credentials, or unrelated config paths are requested. The requested filesystem access is proportional to the purpose (reading/writing ~/.openclaw workspace files).
Persistence & Privilege: noteThe skill is not always-enabled and requests no special platform privileges. However it can delete skill directories and update registry files; if the agent is allowed to invoke the skill autonomously (default model-invocation not disabled), an LLM could call uninstall operations without explicit user confirmation. Consider requiring explicit user confirmation for destructive actions or disabling autonomous invocation if you want to limit risk.