Skillv0.1.2026210402

ClawScan security

Luckee Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 3:15 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, configuration, and required actions are consistent with a plugin that manages a Luckee CLI and OpenClaw plugin; it asks to clone a GitHub repo, install a pip package, and persist tokens locally — all expected for this purpose.
Guidance: This skill appears to be what it claims: an OpenClaw integration for Luckee. Before installing, verify the upstream GitHub repository (https://github.com/motse-ai/luckee-openclaw-plugin) and the PyPI package 'luckee-cli' match your expectations. Be aware the flow will store API tokens locally (~/.openclaw/secrets/luckee-tool/tokens.json) and may reuse channel credentials (e.g., Feishu) already configured in OpenClaw. Avoid setting a long-lived defaultToken in config unless you trust the plugin source, and consider installing/testing in an isolated or non-production environment first. If you want stronger assurance, review the plugin and CLI source code in the repository before cloning or installing.

Review Dimensions

Purpose & Capability: okThe name/description (Luckee e-commerce assistant) matches the actions the skill instructs: cloning the luckee-openclaw plugin repo, registering it with OpenClaw, resolving/installing the luckee CLI, and performing login. Nothing in the requirements or instructions appears unrelated to operating a Luckee OpenClaw plugin.
Instruction Scope: okRuntime instructions are narrowly scoped to plugin lifecycle and usage: check installed plugins, git clone/pull the plugin repository, run 'openclaw plugins install', set binaryPath, run 'luckee login' (browser/auth URL), and use the /luckee command. The skill does reference OpenClaw config and token file paths, which is expected for a plugin that persists credentials.
Install Mechanism: noteThere is no automatic install spec in the registry (instruction-only), but the instructions tell the operator to clone a GitHub repo (github.com/motse-ai/luckee-openclaw-plugin) and, if needed, run 'python -m pip install --upgrade luckee-cli'. These are normal for third-party plugins but carry the usual trust risk of executing code from a remote repo and installing a PyPI package.
Credentials: noteThe skill does not request environment variables or external credentials up front. It does, however, describe storing API tokens in ~/.openclaw/secrets/luckee-tool/tokens.json and supports a configurable defaultToken in plugin config. Persisting tokens is expected for this functionality but is sensitive and should be considered before enabling default tokens.
Persistence & Privilege: noteThe skill instructs installation and registration of an OpenClaw plugin and persistence of per-sender tokens in a local token store. It does not set always:true and relies on normal plugin registration; this is expected but means the plugin will be loaded by the gateway once installed and can use persisted tokens across restarts.