Oathe Security Badge

Is aigsec/edgeone-clawscan safe?

https://clawhub.ai/aigsec/edgeone-clawscan

87
SAFE

edgeone-clawscan appears to be a legitimate security scanning tool that provides comprehensive OpenClaw security auditing capabilities. While it makes external service calls and accesses sensitive files, these behaviors are documented and appropriate for a security scanner.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

MEDIUM External service dependency with privacy implications -20

Skill makes HTTPS requests to matrix.tencent.com/clawscan for skill reputation and CVE lookups. While documented, this creates a dependency on external Tencent infrastructure and potential privacy implications.

LOW Accesses sensitive system files during scanning -10

As part of legitimate security scanning functionality, the skill instructs the agent to access sensitive files including SSH keys, AWS credentials, and environment files.

INFO Extensive agent behavioral instructions -25

The skill provides very detailed instructions on how the agent should behave, format responses, and conduct security audits. While legitimate for its stated purpose, this level of behavioral control could potentially be misused.