Skillv1.4.2

ClawScan security

Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 9:12 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (interacting with the Ceaser protocol via the ceaser-mcp CLI and public facilitator endpoints), but it relies on running an npm package at runtime (npx -y), which has operational risk and should be reviewed before use.
Guidance: This skill appears to do what it says: call Ceaser facilitator endpoints and run the ceaser-mcp CLI. Before installing or running it, consider: (1) npx -y executes the ceaser-mcp package fetched from npm at runtime — review the ceaser-mcp npm package (publisher, version, recent changes) or prefer installing a pinned package locally rather than using npx -y. (2) Avoid running the skill in environments with highly sensitive data or credentials since running third-party code can be risky. (3) The OpenAPI reference includes admin endpoints (protected by ADMIN_KEY); the skill does not request that key — do not provide any unrelated credentials. (4) If you want stronger assurance, fetch and inspect the ceaser-mcp source (or pin a known-good release), or run the tool in a sandboxed environment. If you need help checking the npm package or verifying the facilitator URL/certs, provide the package name/version or more context and I can help review.

Review Dimensions

Purpose & Capability: okName/description match the requested binaries and the runtime instructions: the skill uses the ceaser-mcp npm CLI and public ceaser.org endpoints. Required binaries (curl, jq, node, npx) are appropriate and expected for the described operations. The included OpenAPI reference documents the same API surface.
Instruction Scope: noteSKILL.md instructs only public REST calls to ceaser.org and use of the ceaser-mcp CLI via `npx -y ceaser-mcp <subcommand>`. It does not request arbitrary file or credential access. It does mention an optional local mcporter config ({baseDir}/mcporter.json) which could cause the agent to interact with a locally configured MCP server if present — this is optional, but worth noting.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes persistent footprint. However, the runtime pattern uses `npx -y` to fetch and execute the ceaser-mcp package on demand. That behavior is coherent with a CLI-based skill but carries moderate risk: running code fetched from npm at runtime executes third-party code in the agent environment and can run arbitrary operations if the package or its dependencies are compromised.
Credentials: okThe skill declares no required environment variables or credentials. The OpenAPI file references administrative endpoints protected by an ADMIN_KEY in production, but the SKILL.md does not request that key — the absence of credential requirements is consistent with the skill's described public/facilitator usage.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable. It does not request persistent system-wide privileges or modifications. Autonomous invocation is allowed by default but not combined with other high-risk privileges in this skill.