Skillv1.0.1

ClawScan security

Global Compliance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 9:36 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The Global Compliance SKILL.md matches a compliance CLI, but the package includes unrelated video-generator files and instructs installing an unvetted npm CLI—this mismatch and the suggested external install are inconsistent and warrant caution.
Guidance: Do not install or run the suggested npm package until you verify its provenance. Specific concerns: (1) This skill bundle contains unrelated SKILL-EN.md/SKILL-ZH.md files for a video-generator skill — likely a packaging error or intentional mixing. (2) The runtime instructions advise installing a global npm CLI (openclaw-global-compliance) that is not part of this registry entry, which could run arbitrary code. Suggested steps before proceeding: 1) Verify the package on npm and inspect its author, version history, and repository URL; prefer packages with a clear homepage/repo and reproducible source. 2) Search for 'openclaw-global-compliance' and the owner identity; confirm it matches the registry owner. 3) Inspect the npm package contents in a sandbox (or review its GitHub repo) to see exactly what binaries/scripts it installs. 4) If you need the skill now, run the CLI in an isolated environment (container or VM) and avoid giving it privileged access or secrets. 5) Contact the publisher/maintainer for clarification about the unrelated video-generator files and request a clean release or corrected packaging. If you cannot verify the package/source, do not install it.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a compliance assistant and its CLI usage (compliance check/generate/assess), which is coherent with the skill name. However, two other included files (SKILL-EN.md and SKILL-ZH.md) are for a completely different 'video-generator' skill. Having unrelated skill documents bundled with a compliance skill is incoherent and suggests mispackaging or intentional mixing of functionality.
Instruction Scope: noteRuntime instructions ask the agent to request user files, run a local CLI (compliance check/generate/assess/query), and summarize or save outputs. Those instructions stay within the compliance domain and do not request unrelated system files or secrets. However the skill also defines AUTO-TRIGGER keywords (broad) which could cause frequent invocation; and it instructs users/agents to install/run an external CLI not provided by the registry (see install_mechanism).
Install Mechanism: concernThe skill is instruction-only (no install spec), but SKILL.md tells users/agents to run 'npm install -g openclaw-global-compliance' and use a 'compliance' CLI. Installing an unvetted global npm package has risk: the package source, integrity, and behavior are unknown. Additionally, the repo includes unrelated files referencing a different project, increasing suspicion that the install instructions could direct you to other code or commands.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The instructions do not ask for secrets beyond normal document inputs and company info. There is no direct request for unrelated credentials or system configuration.
Persistence & Privilege: okSkill flags are default (always: false, agent-invocable allowed). It does not request permanent/privileged presence or to modify other skills. Autonomous invocation is normal and not, by itself, a problem here.