Skillv1.0.5

ClawScan security

OpenClaw Bot Dashboard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 3:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (cloning, installing, and launching a dashboard) but include destructive and auto-executing steps (rm -rf, kill -9, npm install / npm run dev on code pulled from GitHub) and omit declaring that they will read or write files under your home directory — so it’s coherent but potentially risky and needs human review before running.
Guidance: This skill does what it claims (download, install, and run a local dashboard) but it will: clone code into ~/projects, delete and replace that directory if you don't have git, stop any process using port 3000 (force kill), run npm install, and start the dev server in the background. Before installing/running: (1) manually inspect the GitHub repo (https://github.com/xmanrui/OpenClaw-bot-review) and its package.json/scripts for suspicious postinstall or start scripts; (2) back up any important ~/projects/OpenClaw-bot-review contents; (3) consider running npm install and npm run dev in a sandbox or container if you want to avoid executing untrusted code on your host; (4) be aware the skill will not prompt before rm -rf or kill -9, so run commands manually if you want confirmation. If you need higher assurance, request the skill author add explicit confirmation steps and declare the config and filesystem changes in the manifest.

Review Dimensions

Purpose & Capability: noteName/description match the actual behavior: it clones or downloads a dashboard repo, installs Node deps and runs a dev server. However the skill manifest declares no config paths or env requirements while the SKILL.md expects an OpenClaw config at ~/.openclaw/openclaw.json and writes to ~/projects/OpenClaw-bot-review — minor inconsistency in declared requirements.
Instruction Scope: concernRuntime instructions tell the agent to run system-level commands: probe/kill processes on port 3000 (lsof/netstat + kill -9), remove directories (rm -rf / Remove-Item), clone or download code from GitHub, run npm install, and start npm run dev in the background. These are within the advertised goal but are destructive and will execute third-party code without an explicit confirmation step. The skill also manipulates files under the user's home directory and may stop unrelated processes that happen to use port 3000.
Install Mechanism: noteThis is an instruction-only skill that clones from a GitHub repo or downloads a ZIP from GitHub — a common and expected pattern. That places it in a moderate-risk category: code pulled from GitHub will be run locally (npm install / npm run), so repository compromise or malicious package scripts could execute on the host.
Credentials: noteThe skill requests no environment variables or credentials in the manifest, which is good. But the instructions implicitly rely on a local OpenClaw config file (~/.openclaw/openclaw.json) and will read/write under ~/projects and start network services. The manifest did not declare the config path or filesystem writes — a mismatch users should be aware of.
Persistence & Privilege: noteThe skill does not request 'always: true' and is user-invocable only — appropriate. It will persist files (clone repo into ~/projects) and start a background server; this is expected for the feature but gives the dashboard a long-lived presence on the machine. It does not modify other skills or system-wide agent settings per the provided files.