Openclaw360
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent local security tool, but installing and enabling it gives a GitHub-installed CLI visibility into prompts, tool calls, outputs, and local audit/backups.
This appears purpose-aligned for a runtime security helper. Before installing, verify the GitHub source and pinned commit, understand that enabled protection will inspect agent inputs/tool calls/outputs locally, and manage the ~/.openclaw360/ audit and backup data according to your privacy needs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means trusting the referenced GitHub package to run locally on your machine.
The skill relies on installing executable code from a GitHub repository rather than providing code files in the submitted artifact set; the commit pin and user-confirmed install reduce but do not eliminate supply-chain attention.
command: "pip3 install git+https://github.com/milu-ai/openclaw360.git@5fd69db"
Verify the GitHub repository and pinned commit before installing, and prefer the venv install path to isolate dependencies.
When protection is enabled, the skill may interrupt, block, or ask for confirmation before actions the agent would otherwise take.
The skill delegates per-tool authorization decisions to its local CLI and can block or require confirmation before tool calls; this is central to the stated security purpose and is disclosed.
在执行每个工具调用之前,检查工具名称和参数的风险等级:`openclaw360 check-tool <工具名> <参数名=参数值>... --format json`
Enable this mode intentionally, review any confirmation prompts, and do not treat it as a guaranteed hard-enforcement layer because the documented failure mode is to continue with a warning.
Local records of security checks and backups may remain on disk after use, even if raw sensitive values are not stored.
The skill keeps persistent local audit records and backups of its security state; the artifact says sensitive values are hashed and stored under the skill directory.
安全检测命令:向 `~/.openclaw360/audit/` 追加 JSONL 格式审计日志。日志中敏感数据仅保留 SHA-256 哈希
Protect the ~/.openclaw360/ directory, review backup retention, and use backup-clean or manual deletion when you no longer need local audit history.