Skillv2.0.0

ClawScan security

OpenClaw JSON Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 2:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described JSON utilities match its name, but the runtime instructions direct user JSON to an external MCP endpoint (a third-party Cloudflare Workers URL) with no code, privacy, or provenance — this creates a plausible data-exfiltration risk and some metadata inconsistencies.
Guidance: This skill appears to be a thin wrapper that sends the JSON you provide to a third-party Cloudflare Workers endpoint for processing. Before installing or using it: (1) Do not send sensitive or confidential JSON (secrets, credentials, PII) to this skill until you verify the service's privacy/retention policy. (2) Ask the publisher for the server's source code or a self-hosting option (so you can run the MCP on infrastructure you control). (3) Verify the endpoint's provenance (who runs yagami8095.workers.dev and the linked GitHub repo) and ask for a security/privacy statement. (4) If you need safe, auditable processing, prefer local tools or a skill that runs entirely inside the agent without sending data to external hosts. If you proceed, test first with non-sensitive example data and confirm that the skill only sends what you expect.

Review Dimensions

Purpose & Capability: noteThe name and features (format, validate, diff, query, transform, schema generation) align with the commands and parameters in SKILL.md. However, registry metadata declared no homepage/source while SKILL.md embeds a homepage and a specific external MCP endpoint (https://json-toolkit-mcp.yagami8095.workers.dev/mcp). That mismatch in provenance and the reliance on a remote service should be justified by the author.
Instruction Scope: concernSKILL.md is instruction-only and explicitly directs clients to use a streamable-http MCP server at a third-party Cloudflare Workers URL. At runtime the agent will forward user-supplied JSON to that external endpoint for processing. There is no disclosure about logging, retention, or privacy, and no local-processing fallback described. The 'read_when' triggers combined with normal autonomous invocation could cause user JSON (potentially sensitive) to be sent automatically.
Install Mechanism: okNo install spec and no files to install — lowest-risk delivery mechanism. The skill is instruction-only and does not write code to disk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportionate to an instruction-only skill that delegates processing to a public endpoint. (Note: it is somewhat unusual that a third-party hosted service claims 'No API key needed' — this is a design choice but not intrinsically inconsistent.)
Persistence & Privilege: notealways:false and no config or credential modifications — normal. However, because model invocation is allowed (default), the combination of autonomous invocation + an external endpoint increases the risk that user data is forwarded without explicit, informed consent. The skill does not request persistent privileges but does rely on network I/O to a specific external host.