Skillv2.0.0

ClawScan security

OpenClaw 沙盒测试系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 2:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely consistent with a sandbox-for-OpenClaw purpose, but several environment-manipulating behaviors (including a hard-coded user path) and an undeclared plugin choice are surprising and warrant manual review before use.
Guidance: This skill appears to implement a useful sandbox workflow for OpenClaw, but review the scripts before running them. Specifically: 1) Inspect templates/safe-try.sh and templates/apply-config.sh to ensure the openclaw commands, ports, and the sandbox token are acceptable for your environment. 2) Remove or change the enabled plugin ('feishu-openclaw-plugin') if you don't want sandbox to load external integrations — that plugin may need credentials not declared by the skill. 3) Fix the hard-coded user path in scripts/cleanup-env.sh (/Users/wh1ko) — it will mis-restore HOME on other machines; prefer restoring HOME from the parent shell or documenting the expected username. 4) Run the sandbox first on an isolated test machine or non-critical account, confirm the backup/rollback process works, and only then use apply-config.sh on production. 5) Because the scripts start a background gateway, ensure you understand how to stop it (PID file location) and verify logs before applying changes to production.

Review Dimensions

Purpose & Capability: noteThe name/description (sandbox for OpenClaw config testing) match the code: scripts create a temporary sandbox, validate configs, start a gateway, backup and apply production configs. Nothing requests unrelated cloud credentials or exotic binaries. One surprising item: the sandbox config enables a 'feishu-openclaw-plugin' in templates/safe-try.sh; allowing a plugin that may require external credentials is not obviously necessary for a generic sandbox and the skill does not declare any plugin-related environment variables or creds.
Instruction Scope: concernThe runtime instructions and included shell scripts manipulate environment variables (export OPENCLAW_HOME and HOME), create files under $HOME and /tmp, start a background gateway process, and provide an apply-to-production flow that runs openclaw gateway restart. The scripts are explicit about these actions (not stealthy), but they also embed a hard-coded user path (/Users/wh1ko) in scripts/cleanup-env.sh and assume behaviours (e.g., restoring HOME to that path). cleanup-env.sh and the SKILL.md do not make it clear when or whether users should run cleanup-env.sh automatically. The presence of a configured plugin (feishu-openclaw-plugin) and an in-cleartext sandbox token in the example config are also things a user should validate.
Install Mechanism: okThere is no install spec (instruction-only), so no network downloads or opaque installers are performed by the skill itself. The code files are plain shell scripts bundled in the skill — lower risk than a remote install URL. The platform will write these files into the skill path when installed, which is expected.
Credentials: concernThe skill does not request credentials or env vars in metadata (good), but the scripts actively set and unset OPENCLAW_HOME and temporarily change HOME for the gateway process. cleanup-env.sh unconditionally sets HOME back to '/Users/wh1ko' if HOME differs, which is a hard-coded developer path and not proportional to a general-purpose skill; running that script on other machines could mis-set HOME. Also, enabling 'feishu-openclaw-plugin' in the sandbox config may implicitly require Feishu credentials not declared by the skill.
Persistence & Privilege: okThe skill is not always:true and does not request elevated platform privileges. It writes files into the user's skill directory, $HOME/.openclaw/backups, and /tmp for sandbox state — expected for a sandbox tool. It does start a background process (openclaw gateway) in the user's context, which is expected behavior but worth noting before launch.