Pluginv1.1.0

ClawScan security

OpenClaw Toolkit - AI助手增强工具包 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 8:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The package is an instruction-only OpenClaw toolkit whose declared purpose (commands/agents/skills for research, review, docs, connectors) matches the files and runtime instructions; it requires no installs or mandatory credentials, but it includes connectors and command templates that can read local files and execute commands so you should only enable connectors and provide secrets when you trust the source.
Guidance: This toolkit is internally consistent with its stated purpose, but review and act cautiously before enabling connectors or supplying secrets: 1) Only provide GITHUB_TOKEN/DATABASE_URL/AWS keys if you need those connectors; use least-privilege (read-only) tokens and temporary credentials where possible. 2) Inspect the SKILL.md files for any commands you don’t want run automatically — /connect templates show exec of arbitrary CLI commands (gh, docker, kubectl). 3) The package runs read/exec/write/browser actions (expected for code review and web research) so prefer installing in a sandbox or test user account first and avoid exposing sensitive system files. 4) Note minor documentation inconsistencies (path names: ~/.workbuddy vs ~/.openclaw/ workspace) — verify install paths before copying files. 5) If you need a higher assurance, review the specific SKILL.md under skills/ you plan to use and request minimal credentials for those features only.

Review Dimensions

Purpose & Capability: okThe name/description (toolkit for OpenClaw assistant capabilities) aligns with the repository contents: commands, agents, and SKILL.md for web-research, code-review, documentation, git-workflow, memory, and mcp-connector. Nothing in the bundle requests unrelated resources (no hidden AWS/GCP credentials required by default).
Instruction Scope: noteThe runtime instructions and agent docs explicitly instruct reading local files, running linters/tests via exec, spawning sub-agents (sessions_spawn), using browser/web_fetch, and executing external CLI commands (e.g., gh, docker). This is coherent for a toolkit that audits code and integrates external services, but it means the skill can access local code and invoke arbitrary commands if used with those features — review which commands you allow and avoid supplying high-privilege credentials unless necessary.
Install Mechanism: okNo install spec and no code files executed by the platform are shipped (instruction-only). This is low-risk from an installation perspective — nothing is downloaded or extracted by the skill itself.
Credentials: noteNo required env vars are declared in the registry metadata. Documentation and command templates show optional use of GITHUB_TOKEN, DATABASE_URL, AWS credentials, etc., which are sensible for the 'connect' features. Because credentials are optional and purpose-aligned, this is proportionate — but only provide tokens when you intend to use the corresponding connector and prefer least-privilege (read-only) tokens.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent platform-wide presence or to modify other skills. Normal autonomous invocation is allowed by platform defaults but not exceptional here.