Skillv1.0.0

ClawScan security

clawhub-skill-install · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 6:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its stated purpose (automated retrying installer), but there are inconsistencies and potentially risky choices (hard-coded user path, missing declaration that the 'clawhub' CLI is required, and automatic forcing/retrying of packages flagged as suspicious) that merit caution before installing.
Guidance: This skill mostly does what it says (automatically retries a 'clawhub install'), but there are three issues to consider before installing: - The metadata fails to declare that the 'clawhub' CLI is required; ensure you have and trust that binary before running the script. - SKILL.md points to an absolute path in /Users/jaredszhang/... — update the instruction to use the bundled script path (relative) or verify the path on your machine. Running absolute, user-specific paths can cause unexpected execution of local files. - The script forces installs (--force) and keeps retrying even when a skill is 'flagged as suspicious'. That behavior can bypass safety signals. If you plan to use this, run it manually first for a test skill, inspect the scripts and the 'clawhub' behavior, or disable autonomous execution so you can approve each install. If you do proceed, run inside a sandbox or test environment and prefer installing from trusted sources only.

Review Dimensions

Purpose & Capability: concernThe skill claims to install ClawHub skills, which is consistent with the included script that runs 'clawhub install'. However the package metadata declares no required binaries while the runtime requires the 'clawhub' CLI. That mismatch is incoherent and will cause failure or surprise at runtime.
Instruction Scope: concernSKILL.md instructs the agent to execute a script at an absolute path (/Users/jaredszhang/.openclaw/...), which embeds a specific developer/user home path rather than a relative or bundled path; this is brittle and could cause the agent to execute a different local file or fail. The instructions themselves do not read unrelated files or exfiltrate secrets, but the absolute path is a portability and supply-chain risk.
Install Mechanism: okThere is no network download or package install step in the skill bundle itself — it's instruction-only with a small included shell script. That is low-risk compared to arbitrary downloads. The script is simple and self-contained (no obfuscated code).
Credentials: concernThe skill requests no environment variables or credentials, which is reasonable, but it implicitly requires the 'clawhub' CLI and does not declare it. More importantly, the script auto-uses '--force' and explicitly continues to retry even when the installer output contains 'flagged as suspicious', which means it will attempt to override safeguards and repeatedly install items that the ecosystem flagged as suspicious. That behavior is disproportionate and risky.
Persistence & Privilege: okThe skill does not request permanent/always-on presence, does not modify other skills' configurations, and does not attempt to persist credentials or change global agent settings. Its runtime actions are limited to invoking the 'clawhub' CLI.