Skillv1.2.0

ClawScan security

GitLab Code Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 2:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (periodically fetching GitLab commits and preparing review payloads) but has notable inconsistencies and small oddities you should verify before installing, especially around where credentials are declared/stored and a few surprising implementation details.
Guidance: What to check before installing: - Confirm the source and trustworthiness of this skill (no homepage and ownerId only). If you do not trust the publisher, do not install. - The skill needs a GitLab Personal Access Token (GITLAB_TOKEN) and GITLAB_PROJECT, but the registry metadata did not declare required env vars — you should expect to create workspace/.env with these values. Store the token securely and limit its scope to read_api only. - Review scripts/fetch_commits.py yourself (or have someone you trust) before running: it calls only GitLab API endpoints and writes files to workspace/memory, but it also explicitly pops GITLAB_* env vars before re-loading .env (unexpected). Ensure no hidden endpoints or exfiltration are present (the code shows only GitLab API calls). - Verify where the cron job runs and which identity is used to send messages. The cron creation command will instruct the platform to run hourly and to send messages to the specified channel/user; confirm that the platform's message tool cannot be abused to message other users. - Check permissions: ensure the agent installation location and workspace/.env are protected and not checked into VCS or exposed; the docs claim .env is in .gitignore but confirm locally. - If you need higher assurance, run the fetch_commits.py locally with a disposable token first and inspect produced memory/pending_review_*.json files, and/or sandbox the skill before granting it sustained cron execution. If these checks are acceptable, the skill appears functional for its stated purpose. If you find any unexpected environment variables, network destinations beyond GitLab, or unexplained code changes, treat this as a red flag and do not enable cron/autonomous invocation.

Review Dimensions

Purpose & Capability: noteThe skill's name/description align with the code: the Python script calls GitLab APIs, writes pending_review_*.json, and the SKILL.md describes creating a cron job to run it. However the registry metadata claims no required environment variables or primary credential while the runtime clearly needs a GitLab Personal Access Token and project path (stored in workspace/.env). That mismatch (declared none vs actual need for GITLAB_TOKEN and GITLAB_PROJECT) is an inconsistency the author should justify.
Instruction Scope: concernSKILL.md instructs the agent to read and write workspace/.env, write to workspace/memory/*, create a platform cron job (openclaw cron add), and push messages via the message tool to the current user/channel. Those actions are within the skill's stated purpose, but the instructions assume the agent can modify workspace files and create cron jobs and send messages — confirm the agent's runtime permissions. Also the script explicitly clears environment variables for the GITLAB_* keys before loading .env (odd but likely intended), which is unexpected and worth reviewing.
Install Mechanism: okThere is no remote install step embedded in the package and no external downloads in the code. The repository includes a local script and docs; install options in INSTALL.md reference ClawHub or a download page. No extract-from-arbitrary-URL installs or opaque binaries were found.
Credentials: concernThe skill requires a GitLab Personal Access Token and project path to function, but the registry metadata lists no required env vars or primary credential. The token is expected to be stored in workspace/.env (local), which is reasonable, but the absence of declared required env vars is a transparency issue. The required token scope (read_api) is correctly minimized in docs, but verify token storage and access controls for the workspace/.env file.
Persistence & Privilege: okalways:false and normal autonomous invocation are used. The skill writes its own files under workspace and memory and creates a cron job via platform tooling — this is consistent with its purpose and not excessive by itself. It does not request system-wide privileges or modify other skills' configs.