Skillv1.0.4

ClawScan security

ClawShow-Gateway-Connect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 19, 2026, 5:37 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (install a ClawShow plugin and migrate Gateway config) but contains a few inconsistencies — notably an unsolicited npm install step and no install spec — that warrant caution before running it against real configuration.
Guidance: This skill appears to do what it says (install @bowong/clawshow-gateway and migrate OpenClaw channel config) and only requests the expected CLAWSHOW_AUTH_TOKEN. However, it instructs the agent to run `npm i ws` in the project root despite not declaring npm in its metadata — that will download and write third-party code into your workspace and may run package lifecycle scripts. Before installing/running this skill: (1) confirm why `ws` is needed and prefer running that step manually in a controlled environment or a disposable/staging workspace; (2) verify the source and trustworthiness of the `@bowong/clawshow-gateway` plugin separately; (3) ensure you keep and test the backup produced by the skill (it instructs to create one) and consider running the migration on a staging device first; (4) be aware `config.apply` performs a full-replace — review the generated JSON5 thoroughly before applying. If the author can justify the npm step, or the skill is updated to declare npm as a required binary and explain the dependency, the concerns would be reduced.

Review Dimensions

Purpose & Capability: noteThe name/description, declared primary credential (CLAWSHOW_AUTH_TOKEN), and required binary (openclaw) align with a plugin install + config migration task. However, the runtime instructions require running `npm i ws` (a Node package install) even though the skill metadata does not declare npm or any Node-related dependency; this is unexpected given the stated purpose and should be justified.
Instruction Scope: noteInstructions are detailed and mostly scoped to the OpenClaw project config and OpenClaw RPCs (version check, plugin install, config.get/config.apply). Guardrails explicitly ban reading .env/secrets and discourage outbound test traffic. Two scope issues: (1) the step to install `ws` modifies the local project root (writes to disk) which is outside purely invoking OpenClaw, and (2) selecting 'the file currently used by the running Gateway process' requires the agent to inspect process state to choose the correct file — the mechanism for that is not specified and could lead to extra file reads.
Install Mechanism: concernThis is an instruction-only skill with no install spec, which is low risk in itself, but it explicitly tells the agent to run `npm i ws` in the project root. That command downloads and writes third‑party code from the npm registry and can run lifecycle scripts; the metadata does not declare npm as a required binary or justify why the package is needed. The lack of an install spec plus an ad-hoc dependency install is disproportionate and increases risk.
Credentials: okOnly the CLAWSHOW_AUTH_TOKEN is declared as the primary credential and the SKILL.md asks for an authToken input consistent with that. The instructions explicitly forbid reading secret files or exfiltrating secrets. No unrelated credentials or config paths are requested.
Persistence & Privilege: okSkill is not always-enabled and does not request system-wide persistence. It does instruct the agent to apply a full-replace config via `config.apply`, which is powerful but consistent with the migration purpose. No modifications to other skills' configurations or permanent privileges are requested.