JQOpenClawNode skill
WarnAudited by ClawScan on May 18, 2026.
Overview
This instruction-only skill is transparent about being a remote node control wrapper, but it gives the agent broad file, command, process, screenshot, clipboard, input-control, and self-update authority with weak scoping guidance.
Treat this as a remote administration/control skill, not a normal utility. Install it only if you trust the Gateway, the target nodes, and the users or agents that can invoke it. Before use, restrict allowlisted commands, require explicit approval for file writes/deletes, command execution, screenshots, clipboard reads, input control, process kills, and self-updates, and keep audit logs of node.invoke activity.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong node or with an unsafe prompt, the agent could read or modify files, run commands, kill processes, capture screen or clipboard data, or control keyboard/mouse input on a remote machine.
The skill is a broad raw Gateway invoker for many powerful remote-node tools, including file mutation, command execution, process control, screenshots, clipboard access, input control, and self-update.
统一通过 Gateway 的 node.invoke 调用 JQOpenClawNode 能力(file.read、file.write、process.exec、process.manage、system.run、...system.screenshot、system.clipboard、system.input、node.selfUpdate)
Install only for trusted administrative workflows. Require explicit user approval for each high-impact action and restrict allowed commands, node IDs, file paths, and execution environments at the Gateway.
A broadly allowlisted Gateway could let an agent or user session perform powerful actions on nodes beyond the immediate task’s needs.
The skill advises administrators to allowlist a large set of high-impact node commands, expanding delegated Gateway authority without describing least-privilege scoping.
提示管理员在 Gateway 配置添加 `gateway.nodes.allowCommands`(如 `file.read`、`file.write`、`process.exec`、`process.manage`、`system.run`、...`node.selfUpdate`)
Use least privilege: allow only the specific commands needed for a task, bind them to trusted node IDs and users, and audit invocations.
Commands run through the remote node may change the system, access local data, start long-running processes, or fail in ways that affect the host.
The docs explicitly support executing arbitrary programs or command arrays, including detached execution. This is disclosed and central to the skill, but it is still a high-impact capability.
`process.exec`... `program`:字符串,必填... `detached`:布尔,可选... / `system.run`... `command`:字符串数组,必填
Review every command before execution, avoid shell wrappers when possible, set tight timeouts, and disable detached execution unless truly required.
A bad or compromised update source could replace or alter the remote node software and persist beyond the current task.
The self-update flow downloads an update, verifies it with MD5, starts a script, and restarts the node, but the artifacts do not describe a trusted source, signature verification, or rollback controls.
`node.selfUpdate`:30000-300000(下载+校验+脚本启动;成功后节点会退出重启)... `md5` 为必填
Disable node.selfUpdate by default unless needed. Only use signed updates from a trusted source, prefer stronger verification than MD5, and require administrator approval and rollback planning.
Private screen contents, clipboard text, file contents, or system details could be exposed to the agent session and any connected Gateway/file-server infrastructure.
The skill sends sensitive host data and control actions through a Gateway-to-node flow. This is disclosed, but screenshots and clipboard contents can contain private information.
系统信息采集、截图采集、系统弹窗、系统剪贴板读写、输入控制(鼠标/键盘)
Use only with trusted nodes and Gateways, avoid invoking screenshots or clipboard reads around sensitive content, and ensure logs/results are retained and shared according to your privacy expectations.