Skillv1.0.3

ClawScan security

Agent Builder Plus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 8:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match its stated purpose (building OpenClaw agent workspaces) but contain internal contradictions and several scope decisions that could lead to overly permissive or surprising behavior if used without review.
Guidance: This skill is coherent with its stated purpose (it produces OpenClaw workspace files and advises how to register an agent), but it includes contradictory and permissive instructions that could let an agent perform file writes, modify OpenClaw config, and send outbound status messages without clear user consent. Before installing or running: 1) review and edit the SKILL.md to remove/clarify any 'Don't ask permission' or automatic-action lines; 2) test in an isolated directory (not your real ~/.openclaw) and do not run 'openclaw agents add' until you confirm bindings; 3) back up ~/.openclaw/openclaw.json and any credentials; 4) limit the agent's file-write scope (point workspace to a temporary path) and disable automatic outbound status updates or heartbeat automation until you trust behavior. If you want, provide those constrained settings and I can highlight exact lines to change in the SKILL.md.

Review Dimensions

Purpose & Capability: okName/description align with the instructions: the SKILL.md is a step-by-step guide to creating OpenClaw workspaces, generating files (IDENTITY.md, SOUL.md, etc.), and registering agents with the OpenClaw CLI. Required resources (none declared) are proportional given this is instruction-only.
Instruction Scope: concernInstructions tell the agent to read and write workspace files, create directories, and run OpenClaw CLI commands (e.g., 'openclaw agents add') and explicitly reference user config paths (~/.openclaw/openclaw.json and credentials). Those actions are expected for agent registration, but the content contains contradictory directives (e.g., 'Never run destructive/state-changing actions without explicit permission.' versus 'Don't ask permission. Just do it.') which can expand scope and lead to unintended destructive or outbound actions. The guidance to freely read/edit MEMORY.md and write daily memory files is also powerful and should be constrained by user intent.
Install Mechanism: okThis is instruction-only with no install spec and no code files, so nothing is written to disk by the skill package itself. That lowers delivery risk; the runtime actions rely on existing tools (file writer, openclaw CLI) which the instructions assume are present.
Credentials: okThe skill declares no environment variables or credentials. The SKILL.md does reference local OpenClaw config paths (~/.openclaw/*) and warns to avoid committing secrets. Those references are relevant to registering agents and workspace management but do mean the agent will be instructed to access local config and credential files during normal operation.
Persistence & Privilege: notealways:false and normal autonomous invocation are appropriate. However some guidance encourages automated behaviors (self-monitoring, status updates if unresponsive, heartbeat state files) that could cause outbound communications or automated changes unless the human explicitly limits them. The conflicting 'Don't ask permission. Just do it.' line increases the risk that the agent might act without explicit user confirmation.