Skillv0.1.2

ClawScan security

OpenClaw Glasses (多源搜索+意图感知+权重自适) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 7:25 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description matches its code, but the package fails to declare and justify access to local credentials and LLM/API keys that the scripts will read/use — this mismatch is concerning.
Guidance: This skill appears to implement the claimed multi-source search features, but it omits critical metadata about credentials and local file access. Before installing or running it: (1) Ask the publisher for provenance (homepage, owner identity) and for a declared list of required env vars/config paths. (2) Do not run it with real secrets present — remove or rotate any GitHub token or LLM key you don't want the skill to see. (3) If you want to test it, run in an isolated environment (container or VM) and provide only least-privilege API keys (or dummy keys). (4) Inspect ~/.openclaw/credentials/search.json and ~/.git-credentials for sensitive data; prefer explicit env var configuration over left-behind credential files. (5) If you accept the skill, require the author to update the skill metadata to list required env vars (GROK_API_KEY/GROK_API_URL/GROK_MODEL, optional GITHUB_TOKEN) and to document what data is sent to external LLM/APIs. If you cannot verify the source or do not want network/credential exposure, do not install or run it.
Findings: [reads_grok_api_key] expected: relevance_gate._load_creds reads GROK_API_KEY / GROK_API_URL and/or ~/.openclaw/credentials/search.json — calling an LLM is expected for LLM-based relevance scoring, but the skill metadata did not declare these env vars. [reads_github_token] expected: fetch_thread._find_github_token looks for GITHUB_TOKEN/GH_TOKEN and parses ~/.git-credentials. GitHub token access is explainable for 'thread-pulling', but the skill did not declare it and accessing ~/.git-credentials can leak user tokens stored by git. [external_llm_calls] expected: relevance_gate._call_llm makes HTTP POSTs to a grok-compatible chat completions endpoint. External LLM calls are core to the relevance gate but will transmit prompts (query, candidate contexts, possibly extracted page snippets) to remote services — users should be aware of what context is sent.

Review Dimensions

Purpose & Capability: noteThe code implements a multi-source, intent-aware search layer consistent with the skill name/description (scripts for aggregation, thread-pulling, relevance gating and intent guides). However the manifest declares no required env vars or config paths while the code expects provider credentials and may use GitHub tokens and a local OpenClaw credentials file — the capability is plausible but the declared metadata is incomplete.
Instruction Scope: concernRuntime instructions call the included Python scripts (search.py, chain_tracker.py, fetch_thread.py, relevance_gate.py). Those scripts perform network requests, call external LLM endpoints, and explicitly read local credential locations (e.g., relevance_gate._load_creds reads ~/.openclaw/credentials/search.json; fetch_thread._find_github_token reads GITHUB_TOKEN/GH_TOKEN and ~/.git-credentials). The SKILL.md does not list these specific file accesses or env vars. Scripts also 'fail open' in some cases (returning candidates when LLM unavailable), increasing silent network activity. The agent running these scripts could therefore read local tokens and send data to external APIs.
Install Mechanism: noteThere is no install spec (no downloads), which reduces supply-chain risk. But the package includes multiple Python scripts that require the 'requests' library (search.py exits if requests missing). Because there is no install step, users may be surprised by runtime failures or by the code executing without explicit declared dependencies. No external binary downloads or obscure URLs were observed.
Credentials: concernRegistry metadata declares no required env vars or config paths, yet the code expects and will use: GROK_API_KEY / GROK_API_URL / GROK_MODEL (relevance_gate._load_creds and env overrides); a credentials JSON at ~/.openclaw/credentials/search.json; and GitHub tokens via GITHUB_TOKEN, GH_TOKEN, or ~/.git-credentials (fetch_thread._find_github_token). Those are reasonable for a multi-source search skill, but they are not declared in the skill metadata and grant access to potentially sensitive secrets (LLM API keys, GitHub tokens).
Persistence & Privilege: okThe skill is not marked always:true and does not attempt to modify other skills or system-wide agent configuration. Its behavior is limited to fetching web content, calling LLM APIs, and writing output files if asked (chain_tracker can write results.json). Autonomous invocation is enabled by default (normal for skills) but does not on its own change this assessment.