Skillv7.18.1

ClawScan security

Agile Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 2:06 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and files match an agile workflow engine, but the runtime instructions include persistent system changes and a pre-scan prompt-injection signal (system-prompt-override); the package contains many executable JS files with no install spec — review before enabling or running.
Guidance: This package appears to be a full workflow engine and includes many executable JavaScript files plus instructions to enable background services and edit your agent config. Before installing or enabling: 1) Do not add the crontab entries or enable autoTrigger until you audit the code. 2) Inspect key files locally (llm-gateway.js, agent-manager.js, any files that use network, child_process, fs, or eval) for outbound endpoints, hard-coded URLs, or code that reads unrelated host files. 3) Search the code for child_process.exec/spawn, net/http/axios/fetch, websocket/socket usage, and any calls that post data externally. 4) Pay special attention to SKILL.md content flagged as 'system-prompt-override' — remove or question any lines that attempt to change model/system prompts. 5) Check package.json and package-lock.json for unexpected dependencies; run static scans (SAST) and dynamic tests in an isolated VM or container. 6) If you must test on your machine, run the service in a sandboxed account with no access to sensitive files and avoid enabling persistent crontab/nohup until you are confident. If you want, I can list high-priority files/strings to inspect (network calls, credential patterns, child_process) or help generate a review checklist.
Findings: [system-prompt-override] unexpected: The static pre-scan flagged inline pattern(s) consistent with attempts to alter system/model prompts. There are many files and runtime instructions that would let the skill execute arbitrary JS; a prompt-override directive in the SKILL.md is not required for an on-host workflow engine and is suspicious — inspect SKILL.md and code for any instructions that attempt to change or inject model/system prompts.

Review Dimensions

Purpose & Capability: noteThe name, description and many included JS modules (agent manager, scheduler, circuit breaker, llm-gateway, token manager, etc.) are internally consistent with an on-host workflow engine. However the metadata claims 'instruction-only' / no install spec while the bundle contains dozens of executable code files — that mismatch is unexpected and worth noting. The engine's need to run background processes and modify its own agent config is reasonable for this purpose.
Instruction Scope: concernSKILL.md instructs editing ~/.openclaw/openclaw.json, creating crontab entries, running node on explicit absolute paths (e.g., /home/ubutu/.openclaw/...), and running background nohup processes. Those actions give the skill persistent runtime presence and cause it to execute bundled JS code on the host. Additionally, the pre-scan flagged a 'system-prompt-override' pattern in SKILL.md — instructions may attempt to influence model/system prompts. These instructions go beyond a simple helper and warrant manual code review before enabling.
Install Mechanism: noteNo install specification is provided (the registry metadata says 'instruction-only'), yet the package includes many code files and scripts meant to be executed. The absence of an install step means the skill expects manual git/npm steps and direct node execution; that's not inherently malicious but increases the risk that bundled code will be executed with host privileges without an automated vetted install process. No remote download URLs were present in the SKILL.md, which reduces one class of risk.
Credentials: noteThe skill does not request environment variables or external credentials, which aligns with its stated purpose. However the runtime instructions write and read host-specific paths (e.g., ~/.openclaw/openclaw.json, /home/ubutu/.openclaw/..., /workspace/logs/...) and add crontab entries. Those file and crontab modifications are proportionate for a service but still grant persistent access to logs/configs — review whether those paths overlap with sensitive data on your host.
Persistence & Privilege: noteThe skill does not set always:true and does not declare extra credentials, but the SKILL.md explicitly directs enabling the skill in agent config and adding crontab/nohup entries to run the engine continuously. That grants long-term execution capability on the host (normal for a workflow engine), so only proceed after code review. This persistent presence combined with the prompt-injection signal increases risk.