Pluginv0.1.2

ClawScan security

OpenClaw Safe Agent CLI MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 7:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (wrapping local Claude/Codex CLIs with dry-run defaults and cwd allowlists) matches its description, but the bundle metadata omits required binaries and build/runtime details and the install steps rely on fetching and building code locally — these mismatches and build-time network fetches warrant caution.
Guidance: This project appears to do what it claims, but the package metadata is incomplete and the build step will fetch remote packages — treat it as untrusted code until you verify it. Before installing or registering: 1) Inspect the repository locally and review package.json (and any lockfile if available) and the built dist files; 2) Build and run inside an isolated environment (container or VM); 3) Keep allowedRoots empty until you have explicitly set narrow project paths; 4) Never enable allowWrites or run real execution against sensitive repositories until you’ve validated behavior; 5) Avoid putting secrets in prompts and prefer pinning CLI versions and using a package lock (npm ci) to avoid unexpected dependency fetches. If you want higher confidence, request the built artifacts (dist) or a package lockfile and the list of runtime dependencies to review.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md clearly requires Node >= 20 and the local Claude and/or Codex CLIs to be installed and authenticated, but the skill metadata declares no required binaries or credentials. That omission is an incoherence: someone using this skill must have Node and the CLIs, so the metadata should have declared them.
Instruction Scope: okThe runtime instructions stay on-topic: they describe dry-run previews, realpath cwd allowlists, no shell spawning, explicit write gates, and redaction. They do not instruct arbitrary file reads, secret exfiltration, or contacting unknown endpoints. The instructions do require operators to create local config (allowedRoots) and to build the project before registering — those are expected for this kind of tool.
Install Mechanism: noteThis is an instruction-only skill (no automatic install spec), so nothing is written automatically by the platform. However, the Quickstart tells operators to run git clone and npm install/build, which will fetch remote packages during npm install. There is no lockfile included in the provided manifest; review the repo's package dependency list and built artifacts before running npm install in a sensitive environment.
Credentials: noteThe skill declares no required environment variables or credentials (consistent with being a local wrapper). However, real execution depends on downstream CLIs that themselves require authentication. The SKILL.md warns redaction is best-effort — operators must avoid sending secrets in prompts and should ensure CLIs' credentials are managed locally and not exposed to callers.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable; it also does not include an automatic registration mechanism that would modify system-wide OpenClaw config. Autonomous model invocation remains allowed by default (normal for skills) but is not combined with other high-risk privileges here.