paw-chat Security Report — Trusted | ClawSafe

5 /100

paw-chat

Install and manage Paw - a standalone web chat frontend for OpenClaw Gateway

Paw Chat is a legitimate static web chat frontend for OpenClaw Gateway. All shell scripts are documented and necessary. No credential theft, data exfiltration, obfuscation, or hidden functionality. Zero npm dependencies, zero malicious indicators.

Skill Namepaw-chat

Duration38.8s

Enginepi

✓

Safe to install

This skill is safe to use. Shell execution (start.sh, install.sh) is declared in SKILL.md and serves legitimate purposes (local HTTP server, deployment to Gateway directory). No action required.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares file write to ~/.openclaw/ and local serve directory
Shell	`WRITE`	`WRITE`	✓ Aligned	start.sh:1 uses bash for python http.server; install.sh:1 uses bash for file cop…
Network	`READ`	`READ`	✓ Aligned	paw-app.js:2323 references highlightjs.org CDN (external URL)
Environment	`NONE`	`NONE`	—	No os.environ access in JS code
Database	`NONE`	`NONE`	—	No database access
Clipboard	`READ`	`READ`	✓ Aligned	paw-app.js:1745 handles clipboard paste for images
Browser	`NONE`	`READ`	✓ Aligned	Standard browser API usage (localStorage, WebSocket)
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke usage

9 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/OpenClaw-Paw-blue?style=for-the-badge

README.md:4

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-green?style=flat-square

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Zero-Dependencies-orange?style=flat-square

README.md:6

🔗

Medium External URL 外部 URL

https://openclaw.ai

README.md:147

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai

README.md:148

🔗

Medium External URL 外部 URL

https://discord.com/invite/clawd

README.md:150

🔗

Medium External URL 外部 URL

https://www.python.org/downloads/

assets/paw-app.js:2323

🔗

Medium External URL 外部 URL

https://highlightjs.org/

assets/paw-app.js:2387

📧

Info Email 邮箱地址

[email protected]

assets/highlight.min.js:3

File Tree

10 files · 300.2 KB · 5050 lines

JavaScript 3f · 3856L HTML 1f · 791L Markdown 2f · 254L Shell 2f · 94L JSON 1f · 46L CSS 1f · 9L

├─ ▾ 📁 assets

│ ├─ 📄 github-dark.min.css CSS 9L · 1.3 KB

│ ├─ 📜 highlight.min.js JavaScript 1243L · 124.5 KB

│ ├─ 📄 index.html HTML 791L · 34.7 KB

│ ├─ 📜 marked.min.js JavaScript 69L · 39.0 KB

│ ├─ 📜 paw-app.js JavaScript 2544L · 90.5 KB

│ └─ 🔧 start.sh Shell 46L · 1.2 KB

├─ ▾ 📁 scripts

│ └─ 🔧 install.sh Shell 48L · 1.3 KB

├─ 📋 package.json JSON 46L · 940 B

├─ 📝 README.md Markdown 153L · 3.9 KB

└─ 📝 SKILL.md Markdown 101L · 2.8 KB

Security Positives

✓ No credential theft or environment variable harvesting

✓ No data exfiltration or C2 communication

✓ No obfuscation (base64, eval, atob) or anti-analysis techniques

✓ Zero npm dependencies — no supply chain attack surface

✓ SKILL.md accurately describes all shell script behavior

✓ WebSocket connects only to user-configured Gateway URL

✓ Configuration stored only in browser localStorage

✓ All file writes are user-directed (Gateway directory or local serve)

✓ Pure static frontend — no server-side code

✓ Shell scripts execute only local Python http.server (no remote code)

✓ ZIP download feature builds package locally from served files

✓ Code is readable and well-structured (no minified malicious payloads)

Scan Report

File Tree

Security Positives