OpenClaw Security Guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local security-check helper; its main risks are disclosed local script execution and persistent audit outputs that may contain sensitive excerpts.
This skill appears safe to use as a local lightweight scanner. Run it only on folders you intend to inspect, remember that audit outputs may contain secrets, use simple Obsidian note titles, and install the hook wrapper only if you want a persistent local prepublish command.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the prepublish guard executes local scanner code against the directory you provide.
The script invokes another bundled Node script locally. This is executable behavior, but it is disclosed, scoped to the user-provided skill directory, and uses no shell string interpolation.
const result = spawnSync(process.execPath, [auditScript, abs], { encoding: 'utf8' });Use it on intended skill folders only and review the printed WARN/BLOCK results before publishing or installing.
If an audit finds a real secret, the generated note could copy that secret into a persistent local or synced Obsidian vault.
The optional Obsidian writer persists audit finding excerpts into a markdown note. Because this scanner looks for hardcoded secrets, those excerpts may contain sensitive values.
lines.push(` - ${f.excerpt}`); ... fs.writeFileSync(outPath, lines.join('\n'));Treat audit JSON and generated notes as sensitive; redact secrets before sharing or syncing and delete notes that captured real credentials.
A local helper script remains available after installation until you remove it.
The optional installer creates a persistent executable wrapper in the user's OpenClaw workspace. It is disclosed and does not show background execution or self-propagation.
TARGET="$HOME/.openclaw/workspace/scripts/security-prepublish-guard.sh" ... chmod +x "$TARGET"
Run the hook installer only if you want that reusable wrapper, and remove the created file if you no longer need it.