中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
clawguard-security-checker
Enterprise-grade security configuration analyzer and runtime integrity verifier for OpenClaw environments
ClawGuard Security Checker is a legitimate OpenClaw configuration analyzer that reads config files, checks permissions, and generates hardening recommendations with no malicious behavior detected.
Skill Nameclawguard-security-checker
Duration29.2s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.

Findings 1 items

Severity Finding Location
Low
Minor documentation gap on file output Doc Mismatch
SKILL.md does not explicitly declare filesystem:WRITE capability for report and hardened config generation. However, this is benign functionality clearly implied by the hardening feature.
Filesystem WRITE for --output and --fix file generation not declared
→ Add explicit declaration of filesystem:WRITE for report/config output capabilities
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned SKILL.md:47 - Find and read ~/.openclaw/openclaw.json
Filesystem NONE WRITE ✓ Aligned cli.js:61,74 - fs.writeFileSync for report and hardened config output
Network NONE NONE No network calls in cli.js or src/checker.js
Shell NONE NONE No child_process usage in codebase
Environment NONE NONE No os.environ iteration or credential harvesting

File Tree

6 files · 43.9 KB · 1280 lines
JavaScript 2f · 654L Markdown 2f · 604L JSON 2f · 22L
├─ 📁 src
│ └─ 📜 checker.js JavaScript 548L · 19.3 KB
├─ 📋 _meta.json JSON 7L · 159 B
├─ 📜 cli.js JavaScript 106L · 3.9 KB
├─ 📋 package.json JSON 15L · 419 B
├─ 📝 README.md Markdown 128L · 3.3 KB
└─ 📝 SKILL.md Markdown 476L · 16.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
none N/A N/A No No npm dependencies - uses only built-in Node.js modules (fs, path, crypto)

Security Positives

✓ No shell execution (child_process) - pure Node.js fs/path/crypto APIs
✓ No network requests - fully offline configuration analysis
✓ No credential harvesting - only pattern-matches exposed secrets in config files, does not exfiltrate
✓ No sensitive path access - only reads ~/.openclaw/, never accesses ~/.ssh, ~/.aws, or .env
✓ No obfuscation - clean, readable code with no base64 or eval patterns
✓ No supply chain risk - zero dependencies in package.json
✓ Legitimate security tool purpose - validates and hardens OpenClaw configurations
✓ No persistence mechanisms - no cron, startup hooks, or backdoor installation