Skillv1.2.0

ClawScan security

OpenClaw 集中配置管理系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 7:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent with a configuration-center purpose, but its runtime docs encourage running a remote installer (curl | bash) and contain a few ambiguous instructions that could grant agents overly broad autonomy — review before installing.
Guidance: This skill is largely coherent with being a configuration center, but review these before installing/using: 1) Do NOT run curl|bash installers from an unverified domain without checking the upstream project (prefer Docker images from a verified registry or cloning the official GitHub repo and reviewing code). 2) Inspect templates that will hold secrets (feishu.json, clawrouter.json, memory config) and prefer environment variables or a secrets manager instead of plaintext files; ensure .gitignore is in place. 3) Back up existing ~/.openclaw configs before copying templates or running generate-main-config.sh. 4) The AGENTS.md line 'Don't ask permission. Just do it.' is ambiguous and could lead agents to perform actions without confirmation — if you enable autonomous agents, restrict actions that send data externally or modify system state without explicit user consent. 5) If you plan to enable ClawRouter or SiliconFlow integration, verify the vendor domains (blockrun.ai, siliconflow.cn) and their authenticity and audit any installer scripts before executing them. If you want, I can: (a) extract every command the skill would run so you can review them; (b) produce a checklist of exact secrets/files to protect; or (c) suggest safer alternatives to the curl|bash installer steps.
Findings: [no_regex_findings] expected: Static regex scanner found nothing — expected because this is an instruction-only skill (no code files). Lack of findings does not imply safety; the runtime instructions contain network/installer recommendations that are high-risk in practice.

Review Dimensions

Purpose & Capability: okName, description and all included templates/scripts are consistent with a centralized OpenClaw configuration management system (config loader, generate-main-config, memorySync, AGENTS/SoUL templates, ClawRouter integration). The files and commands referenced (jq, sed, openclaw gateway restart, config paths under ~/.openclaw and workspaces) all match the stated goal.
Instruction Scope: concernSKILL.md instructs the agent/user to read/write many local config and workspace files (e.g., ~/.openclaw, ~/agents/writer/SOUL.md) which is expected, but it also recommends executing a remote installer via `curl -fsSL https://blockrun.ai/ClawRouter-update | bash` and to interact with remote APIs (SiliconFlow bge-m3). AGENTS.md includes conflicting guidance — 'Don't ask permission. Just do it.' — which could encourage agents to act without human confirmation. These items expand the trust surface and merit review.
Install Mechanism: concernThe skill has no formal install spec (instruction-only), which is low-risk in itself, but the provided runtime instructions explicitly recommend running an external one-line installer (curl|bash) and Docker/`git clone` flows for ClawRouter from third-party domains (blockrun.ai, blockrun/clawrouter). A curl|bash install from an external domain is a high-risk action unless you have verified the source; the skill also references downloading/running containers and wallets (crypto) which require extra caution.
Credentials: noteThe package does not declare required environment variables, which matches the instruction-only nature, but templates and instructions show that users will put sensitive secrets into local config files (channels/feishu.json, clawrouter.json, SiliconFlow API keys, bot tokens). These credentials are relevant to the described integrations, so the request is proportionate — but the skill relies on users storing secrets in files rather than strongly recommending safer alternatives (env vars or secret stores).
Persistence & Privilege: notealways:false and no install spec indicates the skill does not request permanent elevated presence. However, AGENTS.md contains guidance that could be interpreted as encouraging an agent to act without asking ('Don't ask permission. Just do it.'), which is a policy/behavior concern rather than a technical privilege request. Autonomous invocation is allowed by default on the platform; combine that with the agent-directed 'act without asking' phrasing and you should be careful about enabling autonomous actions that transmit data or perform destructive operations.