Pluginv0.1.0

ClawScan security

tool-skill-manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 27, 2026, 2:42 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and runtime instructions match its stated purpose (capturing the model-visible tools/skills and letting you toggle them), but it records the assembled system prompt and reads skill files then writes persistent snapshot files locally — those snapshots can contain sensitive prompt/session data, so review storage and access policies before installing.
Guidance: This plugin appears to do what it claims, but it captures the model's assembled system prompt and reads skill files, then writes snapshots to disk. Before installing: (1) Inspect index.js (already included) and confirm you are comfortable with local file writes to ~/.openclaw/logs/tool-skill-manager; (2) avoid running the plugin in environments where prompts may contain secrets or credentials (tokens, API keys, session tokens), or configure plugin.outputDir to a secure location with strict permissions; (3) audit the snapshot files (latest.json, LATEST.md, catalog.json) after a run to verify they don't contain sensitive material before sharing; (4) if you prefer less persistence, disable or uninstall the plugin when not actively auditing; (5) note that the plugin will read skill files referenced by the assembled prompt — ensure those paths don't expose sensitive configs. If you want a tighter review, request the remaining portions of index.js (the truncated areas that perform writes and state updates) to confirm exactly which fields are recorded and how enable/disable operations are applied.
Findings: [system-prompt-override] expected: The static detector flagged a system-prompt-override pattern in the SKILL.md; this repository intentionally captures the assembled system prompt (llm_input) so the pattern is expected in context. Still, this amplifies risk: captured system prompt data may include secrets or session identifiers that the plugin will write to disk.

Review Dimensions

Purpose & Capability: okThe name/description, chat commands in SKILL.md, and the included index.js all implement a model-perspective audit: capture llm_input, parse model-visible tools and skills, present lists, and toggle entries by updating tools/skills state. The code that reads skill frontmatter and resolves skill locations is consistent with claiming to inspect 'model-visible' skill definitions.
Instruction Scope: concernSKILL.md and the code explicitly capture the assembled system prompt (llm_input) and include fields such as sessionKey and channelId in the snapshot markdown/JSON. Capturing the final system prompt is required for the stated audit purpose, but that prompt can contain sensitive tokens or secrets; the instructions do not strongly warn users about what may be recorded beyond a single 'do not run inside chat' line.
Install Mechanism: okNo remote install/downloads or unusual installers are used; the skill is instruction-only and includes a local index.js. The README recommends installing via openclaw plugins install . which is the normal flow, so install risk is low.
Credentials: noteThe skill requests no environment variables or external credentials. However, at runtime it will parse system prompt content and attempt to read skill files from paths referenced in the prompt (expandHome + readSkillFrontmatter). Reading those files is coherent with enumerating skills, but it means the plugin will access local filesystem paths referenced by the assembled prompt — which could include sensitive files if the prompt embeds paths to them.
Persistence & Privilege: noteThe plugin writes persistent snapshot files to a default output directory (~/.openclaw/logs/tool-skill-manager) and modifies OpenClaw tool/skill enablement state (tools.deny and skills.entries.*.enabled) as part of its function. It does not request always:true and does not require extra platform privileges beyond normal plugin capabilities. Because it persists assembled prompt content, treat those files as potentially sensitive.