Skillv5.2.0

ClawScan security

Openclaw Boss · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 3:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match its stated purpose (local user/profile analysis) but include several mismatches and risky requirements (forced full-text paste of local reports into chat, implicit cron/root installation behavior referenced but not present, and unguarded shell execution), so review and sandboxing are advised before install.
Guidance: This skill appears to do what it claims (generate profile reports from local OpenClaw workspace data), but it also requires reading private workspace files and instructs the agent to paste entire reports verbatim into chat (>=2000 words) which could disclose sensitive information. Before installing: 1) Inspect scripts/analyze-user.py fully for any network calls or command strings that could be abused; 2) Confirm there is no hidden .onload that will write to /etc/cron.d or otherwise run as root; 3) Run the skill in an isolated sandbox or non-production account first and inspect generated report files; 4) If you accept scheduled reports, manually install cron entries yourself rather than allowing automatic on-install hooks; 5) Consider limiting which memory files are readable or configuring the script to redact tokens and secrets; 6) Ask the author to explain the missing .onload file and to provide an explicit installer manifest or an opt-in cron setup. If you are not comfortable granting read access to /root/.openclaw/workspace or allowing periodic jobs that touch those files, do not install or run without further hardening and review.

Review Dimensions

Purpose & Capability: noteName/description promise a local user/profile analyzer; the included scripts (analyze-user.py, weekly/monthly wrappers) and SKILL.md behavior align with that goal. However package.json and SECURITY.md reference an onload installer that creates system cron entries (writes /etc/cron.d) yet no .onload file is present in the manifest — mismatch between claimed automatic install behavior and actual files. The skill also expects access to /root/.openclaw/workspace (MEMORY.md, USER.md, memory/*.md, db/memory.db), which is consistent with profiling but grants broad read access to the agent's private workspace.
Instruction Scope: concernSKILL.md explicitly instructs the agent to run the local analysis script and then copy the generated report file verbatim into the chat reply (must include entire 10+ part report and at least 2000 words). That forces revealing of local memory and possibly sensitive content directly into user-visible chat. analyze-user.py also executes shell commands (sessions_list, mem.py recall) and reads workspace files; these are expected for profiling but constitute high-sensitivity I/O. The 'must paste full report' requirement is coercive and increases risk of accidental exfiltration of secrets.
Install Mechanism: noteThere is no formal install spec (lowest risk), but README/package.json reference an automatic onload installer that configures cron jobs and 'clawhub install' behavior. The manifest lacks the .onload file referenced, which is an inconsistency to resolve. The included weekly/monthly shell scripts and README instructions show how cron scheduling would be set up manually. Because no remote downloads or external archives are used, install risk is moderate and mainly about local side effects (cron entries, logs).
Credentials: concernThe skill requests no external credentials or env vars, which fits its purpose. However it requires read access to many local files under /root/.openclaw/workspace (MEMORY.md, USER.md, memory/*.md, db/memory.db) and calls other local tools (sessions_list, mem.py). Those accesses are proportionate to producing a profile but are high-sensitivity: they expose private conversation history, stored memories, and possibly tokens stored in memory files. The script also runs shell commands via subprocess with shell=True, increasing risk if inputs are untrusted.
Persistence & Privilege: concernalways:false (good). But documentation and package.json claim automated cron creation on install (writing to /etc/cron.d/openclaw-boss), which requires root privileges. The repository manifest does not include the referenced .onload, but if an installer or future version writes cron entries automatically it would persist and run periodic analysis. That combination (scheduled periodic reads of user memory) increases the blast radius and should be controlled by the operator (explicit consent, review of cron file, run in sandbox).