Skillv2.0.1

ClawScan security

PaperMC AI Operations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 28, 2026, 9:26 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely matches its PaperMC management description but contains several inconsistencies and risky artifacts (hard-coded publish tokens, scripts that call sudo/systemctl despite stated safety rules, and network upload/download helpers) that warrant review before installation.
Guidance: Key things to consider before installing or running this skill: - Do not run the publish scripts (publish_skill.py or publish_to_clawhub.py) unless you explicitly want to upload the repository to ClawHub. They contain a hard-coded API token and will gather and POST many local text files — this could leak sensitive local content. Remove or rotate that token and review the scripts before any execution. - The SKILL.md safety policy forbids direct systemctl use, but manage_server.py calls systemctl (with sudo). Running that script will require sudo privileges and can perform system-level service restarts. If you allow the agent to run this skill, ensure the agent runs under a least-privilege account and review/modify the service_action implementation (avoid sudo or require manual confirmation). - plugin_manager.py and plugin_upgrade_framework.py will download jars from URLs and delete/replace plugin files. This is expected functionality but is powerful: verify URLs and run upgrades first in a test environment. Ensure backups work and point SERVER_DIR to a test server before executing. - The code contains developer-specific default paths (e.g., /home/yan/projects/..., SERVER_DIR = '/path/to/your/papermc-server') — update all path constants before use to avoid accidental operations on unintended directories. - There are undeclared dependencies used by scripts (requests, requests-toolbelt). Install and audit these packages from trusted package sources before running. - If you want to proceed: (1) audit and remove or sanitize publish_* scripts (or at minimum remove the embedded API token), (2) set SERVER_DIR and SERVICE_NAME to safe test targets, (3) run in a staging environment first, (4) avoid running scripts as root or with sudo unless necessary and reviewed, (5) consider restricting the agent's ability to autonomously invoke high-risk operations (require human confirmation for restart/update steps). Given the hard-coded token and the contradiction between declared safety rules and actual system commands, treat this skill as suspicious until you perform the code review and sanitization steps above.

Review Dimensions

Purpose & Capability: concernMost code (manage_server.py, plugin_manager.py, update_paper.py, plugin_upgrade_framework.py, backup.sh, health_check.sh) is coherent with PaperMC server lifecycle/backup/plugin operations. However, the repository also contains publishing scripts (publish_skill.py, publish_to_clawhub.py) that are unrelated to runtime server management and embed an API token inside the source. These publish scripts can upload many local text files to a remote service, which does not fit the core runtime purpose of safely operating a PaperMC server and is disproportionate to the stated capabilities.
Instruction Scope: concernSKILL.md instructs operators to 'never use' direct system commands (including systemctl stop/restart) and to route operations through the approved Python scripts. Yet manage_server.py invokes systemctl (and uses sudo for service actions). That is a direct contradiction between the written safety policy and the implementation. The plugin upgrade framework performs network calls (Hangar API) and writes logs to ~/.openclaw; plugin_manager.py downloads arbitrary URLs and writes them into the plugins directory — behavior consistent with purpose but also granting broad discretion to fetch and install external artifacts. The publish scripts walk the repository and upload many files to ClawHub when run — they are not referenced as part of normal server management and could exfiltrate repository content if executed.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is automatically written during install. However, the skill includes many executable code files that the user (or agent) can run. Some scripts (publish_skill.py) rely on external Python packages (requests-toolbelt) not declared in SKILL.md. No remote installers or downloadable archives are used, which lowers installation risk, but presence of runnable publish/upload scripts increases the effective attack surface if run.
Credentials: concernThe registry metadata declares no required environment variables or credentials, but publish_skill.py and publish_to_clawhub.py contain a hard-coded API_TOKEN (clh_kZ-...). Embedding an API token in code is a secret-management anti-pattern and creates an exfiltration/abuse risk if those scripts run. Scripts also assume sudo/systemctl privileges (manage_server.py uses sudo systemctl) which require elevated OS privileges not declared or constrained by the skill metadata. plugin_upgrade_framework.py writes logs to the user's home directory and uses network calls to third-party APIs (hangar.papermc.io).
Persistence & Privilege: okThe skill is not marked always:true, and there is no evidence it attempts to persistently enable itself in other skills or system-wide configurations. It creates application-level directories and writes logs under ~/.openclaw, which is within expected scope for a management tool. Autonomous invocation is allowed by default (disable-model-invocation=false) — this is platform default and not flagged by itself.