Skillv5.1.2

ClawScan security

Pubblue · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 4:52 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions line up with its stated purpose, but it asks the agent to install/run an external npm CLI from an unknown source and to persist an API key and bridge into the agent workspace — risks that should be reviewed before installing.
Guidance: This skill appears to do what it says (publishing and live P2P visualization), but exercise caution before installing and running the external pubblue CLI: 1) There is no source or homepage included in the skill bundle — verify the npm package and its source repository (pub.blue / npm) before installing. 2) Installing via npm or using npx will execute third-party code; prefer inspecting the package source first or installing in a disposable/sandbox environment. 3) The CLI stores an API key in a config file under ~/.openclaw/pubblue by default and can access the agent workspace (OPENCLAW_WORKSPACE); to reduce risk, set PUBBLUE_CONFIG_DIR to a sandboxed directory and avoid placing secrets in shared workspaces. 4) Live mode establishes P2P/browser sessions — only use with trusted peers and in environments where outbound/inbound connections are acceptable. If you need higher assurance, ask the skill author for the CLI source repo or a signed release and audit the package before granting it any credentials or access.

Review Dimensions

Purpose & Capability: noteName/description (publish & live P2P visualization) match the runtime instructions: SKILL.md only describes using the pubblue CLI to create/list/update/delete pubs and run a daemon for live browser-initiated P2P sessions. Nothing in the instructions asks for unrelated credentials or capabilities. However, the skill provides no source/homepage and relies on an external npm package (pubblue) that is not included in the bundle — the provenance of that CLI is unknown.
Instruction Scope: concernThe instructions tell the agent to install/run the pubblue CLI and to store an API key (via pubblue configure) in a config file under ~/.openclaw/pubblue/config.json (or a directory overridden by PUBBLUE_CONFIG_DIR). The daemon bridges into OPENCLAW_WORKSPACE by default, and live sessions establish P2P/browser connections. These behaviors are consistent with the feature set, but they also give the externally installed CLI potential access to agent workspace files and to networked peers. The SKILL.md also demonstrates reading local files (notes.md, /tmp/view.html) and describes consumptive reads — all reasonable for publishing but worth noting as data exposure vectors.
Install Mechanism: noteThis is an instruction-only skill (no install spec). SKILL.md recommends installing pubblue via npm (npm i -g pubblue@latest) or using npx. That means code will be pulled from the public npm registry at runtime; the skill package itself doesn't contain or vet that code. Using npx can execute remote packages transiently, increasing the risk if the npm package is malicious or compromised.
Credentials: noteThe manifest declares no required env vars or credentials, which is proportional. The runtime docs reference PUBBLUE_CONFIG_DIR and OPENCLAW_WORKSPACE env vars as overrides and instruct storing an API key in a config file. Requiring an API key for the pub.blue service is expected, but persisting that key under the agent workspace (default ~/.openclaw/...) or allowing the CLI to access workspace files increases the blast radius for accidental secret exposure.
Persistence & Privilege: okThe skill does not request always:true and does not declare system-wide installs itself. Autonomous invocation is allowed (platform default). The skill will persist an API key in its own config file by design, which is normal for a CLI client, but note the default config path is inside the agent's home (~/.openclaw), which could allow access to other agent artifacts if the CLI is compromised.