Skillv1.4.0

ClawScan security

Portal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 4:51 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (launching cloud browser sessions) matches its description, but the runtime instructions refer to installing and calling an external plugin and to actions (zipping/local uploads, polling auth flows) that are not declared or provided by the skill bundle — this mismatch is concerning and needs clarification before trusting the skill.
Guidance: This SKILL.md looks like a usage manual for an external 'openclaw-portal' plugin rather than a self-contained skill. Before installing or using it: 1) Ask the publisher which package or plugin provides the runtime actions (create_script, make_portal). Do not run the install commands from the guide unless you trust that plugin source. 2) Clarify whether the agent will ask you to upload zipped/base64 project files (safe) or will attempt to read files from the agent host (risky/unexpected). 3) Never paste raw credentials into chat — use the hosted verification_url flow the guide describes, and confirm the URL domain is legitimate. 4) If you need transparency, request an install spec or the plugin code so you can verify what will be installed and where it comes from. Given the missing install/package details, treat this skill as potentially incomplete or misconfigured until you confirm the external dependency and its origin.

Review Dimensions

Purpose & Capability: noteThe stated purpose — turning URLs into live cloud browser sessions with Watch/Play modes — aligns with the SKILL.md workflow and API calls (create_script, make_portal, etc.). However, the skill package contains only SKILL.md and no implementation, yet the instructions tell the agent to install a separate plugin (openclaw-portal) and to call platform-specific RPCs. It's unclear whether those RPCs are provided by the hosting platform or by the missing plugin, creating an implementation gap.
Instruction Scope: noteMost instructions are scoped to the portal service (authenticate, create_script, make_portal, send returned URLs to user). Some steps instruct zipping and base64-encoding local files and saving login state via a hosted browser — these imply user uploads or access to local project files. The instructions do not explicitly tell the agent to read arbitrary local files, but the guidance to create a base64 payload could be interpreted either as: (a) ask the user to upload/provide the base64, or (b) read the agent's host filesystem. That ambiguity increases risk if an agent implementation tries to satisfy it by reading files without explicit user consent.
Install Mechanism: concernSKILL.md contains explicit install commands (openclaw plugins install openclaw-portal; openclaw gateway restart), yet the skill package includes no install spec or code. That mismatch is a red flag: the instructions expect an external plugin or binary that is not declared in the registry metadata. The absence of an install spec makes it unclear what will actually be installed or run if a user follows those instructions.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths — which is proportionate to the described functionality because the workflow uses hosted browser sessions and device-code style verification URLs. There is no explicit request for unrelated secrets. Note: the flow asks users to authenticate via hosted URLs; users should not paste account credentials directly into chat.
Persistence & Privilege: okThe skill does not request always:true and does not declare any persistent system-level modifications. Autonomous invocation is allowed by default (platform normal), but there is no evidence the skill requests elevated privileges or writes to other skills' configs.