Openclaw Security Checklist
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned security checklist, but it runs local shell checks, may print secret-like strings from your OpenClaw workspace, and uses ipinfo.io for location lookup.
This skill looks safe to use as a checklist if you understand that it runs local shell commands. Review the script first, run it from a trusted install location, do not share raw scan output without redacting secret-like lines, and be aware that the location check contacts ipinfo.io.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can reveal local configuration details and matching lines from files in the OpenClaw workspace.
The script uses local shell commands to inspect system and OpenClaw configuration, including workspace-wide grep checks for secret patterns.
grep -q "password\|secret\|key" ~/.openclaw/config.json ...; grep -r "sk-\|Bearer\|api_key=" ~/.openclaw/workspace
Run it intentionally, review output before sharing, and avoid running with unnecessary elevated privileges.
Secret-like strings could be displayed in the terminal or included in an agent conversation/report if raw output is pasted or summarized.
The secret scan prints the first matching lines from the whole OpenClaw workspace, which may include private notes, memory files, or real credentials if present.
grep -r "sk-\|Bearer\|api_key=" ~/.openclaw/workspace 2>/dev/null | grep -v ".git" | head -5
Redact raw matches before sharing reports; maintainers should mask detected secrets and consider excluding the skill's own reference examples.
The external service can observe the machine's public IP address and the time of the lookup.
The data-border check contacts an external IP geolocation service to determine server country.
location=$(curl -s ipinfo.io/country 2>/dev/null || echo "UNKNOWN")
If IP privacy or offline operation matters, replace this with an internal geolocation method or skip that check.
Users have less registry-level assurance about where the executable scripts came from and what runtime requirements are expected.
The registry context does not provide a source/homepage or install spec, while executable shell files are present, limiting provenance and requirement validation.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill. Code file presence: 2 code file(s)
Install from a trusted source, inspect the scripts before running, and have the maintainer declare bash/OS requirements consistently in registry metadata.