Pluginv0.1.5

ClawScan security

KPainter OpenClaw Bundle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 25, 2026, 4:24 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a metadata-only bundle (no code, no installs, no credentials) whose files and runtime instructions are consistent with its stated purpose.
Guidance: This bundle is metadata-only and appears safe to install. It does not contain executable code or request credentials. If you intend to use KPainter features, review the referenced 'kpainter' and 'kpainter-openclaw' packages (and their homepage) before granting any API keys or secrets, since runtime behavior would come from those packages rather than this bundle.

Purpose & Capability: okThe name/description match the included files (bundle manifests, README, package.json). Nothing in the package requests unrelated capabilities (no binaries, env vars, or external installs).
Instruction Scope: okSKILL.md only instructs local validation steps (jq on the package files and npm pack --dry-run) and suggests a publish command. There are no instructions to read unrelated system files, exfiltrate data, or call external endpoints.
Install Mechanism: okNo install spec or code files are present; this is instruction-only metadata and does not write or execute code on install.
Credentials: okThe skill requires no environment variables or credentials. The bundle manifest contains a link labeled apiKey, but this is only a documentation link and not a runtime credential request.
Persistence & Privilege: okalways is false and the skill does not request persistent system presence or alter other skill configurations. Autonomous invocation is allowed by default, but there is no code here to act on that capability.