ClawHub Security Scan
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: clawhub-security-scan Version: 1.1.2 The skill bundle provides a security scanning utility that includes a monetization mechanism via an external API (https://skillpay.me). While the code appears to perform its stated function of identifying insecure patterns, it exhibits risky behaviors such as broad local file system access and the transmission of API credentials (SKILLPAY_API_KEY) to a third-party endpoint. These capabilities, found in scripts/scan.py and scripts/precheck.py, are classified as suspicious because they involve external network communication and sensitive credential handling, even though they are aligned with the stated commercial purpose in SKILL.md.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the paid command with a valid SkillPay key can charge the user's SkillPay account.
The precheck command uses a SkillPay API key to call an external billing charge endpoint. This matches the disclosed paid-skill model, but it is still payment/account authority that users should understand before running.
k = api_key or os.environ.get("SKILLPAY_API_KEY") ... headers={"Content-Type": "application/json", "X-API-Key": key} ... return _post("/billing/charge", body, k)Only provide the SkillPay key when you intend to pay for a call; prefer an environment variable over a command-line flag, and the publisher should document SKILLPAY_API_KEY and required billing arguments in the metadata and usage examples.