Skillv1.0.0

ClawScan security

New Player Package 800 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 28, 2026, 3:39 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The guide's purpose matches its instructions broadly, but there are important mismatches (undeclared env vars, missing npm/node requirement, ambiguous 'uv' binary, and unspecified third‑party installs) that make the package incoherent and warrant caution.
Guidance: This is a readable deployment guide, but it omits important metadata and suggests installing third‑party packages without specifying sources. Before running the recommended commands: 1) Verify you have Node.js/npm installed (the guide uses npm but doesn't declare it). 2) Confirm what 'uv' refers to (npm package vs. system binary) and inspect that package before installing. 3) Inspect the 'clawhub', 'session-monitor', and 'task-persistence' packages/repos (GitHub/npm pages) to ensure they are official/trusted and review their code or release provenance. 4) Do not paste gateway tokens or other secrets into commands without understanding where they will be stored/transmitted; prefer editing configuration files locally and backup openclaw.json first. 5) If the author, homepage, or package sources are provided (or you can point the install commands to official repositories), re-run this assessment — that information would raise confidence and could change the verdict to benign. If you cannot verify the packages' origins, avoid running the one‑click script and install components manually from trusted sources.

Review Dimensions

Purpose & Capability: noteThe skill is an instruction-only deployment/optimization guide and most recommended actions (installing skills, editing openclaw.json, creating ~/.openclaw directories, enabling plugins) are consistent with that purpose. However, the declared required binaries (python3, uv, git) are incomplete or ambiguous: the guide's one‑click script calls 'npm install -g', but 'npm' (and thus Node.js) is not listed; 'uv' is ambiguous (could be an npm package, a binary, or a different tool). Requiring 'uv' without explanation is disproportionate.
Instruction Scope: concernSKILL.md instructs the agent/user to install third‑party CLI packages via npm, clone and install skills, edit and export gateway tokens and other OpenClaw config, and create files under ~/.openclaw. It also references environment variables (OPENCLAW_GATEWAY_TOKEN, OPENCLAW_WORKSPACE) that are not declared in the skill metadata. The instructions give broad discretion to install/enable many skills (including ones with persistence/monitoring), which could lead to installing untrusted code if sources are not verified.
Install Mechanism: concernThere is no formal install spec in the skill bundle; instead the README suggests running 'npm install -g clawhub uv' and 'clawhub install ...'. That implies installing packages from registries and fetching unknown skills. Because the skill does not declare where those packages/skills come from (official repos, GitHub, or third‑party), this is moderate-to-high risk—especially the ambiguous 'uv' package and unknown 'clawhub' package which could execute arbitrary code.
Credentials: concernDeclared requirements list no environment variables, but SKILL.md explicitly instructs setting OPENCLAW_GATEWAY_TOKEN and mentions OPENCLAW_WORKSPACE. The guide also tells users to edit gateway.auth.token and gateway.remote.token in openclaw.json. Asking users to set gateway tokens and modifying configuration is expected for deployment, but the metadata should declare these env vars; the omission is an incoherence that makes it unclear what credentials will be used or required at runtime.
Persistence & Privilege: noteThe skill does not request always:true and does not claim elevated system privileges. It instructs installing skills like 'session-monitor' and 'task-persistence' that themselves may run persistently or monitor sessions; this increases blast radius if those skills are untrusted. Autonomous invocation is allowed by default (disable-model-invocation:false), which is normal, but you should be cautious installing third‑party persistent skills.