Safeclaw Proxy
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Safeclaw Proxy has a legitimate setup purpose, but it asks for broad automatic system control and possible API-key reuse that should be reviewed before installation.
Install only if you trust the SafeClaw image/package and are comfortable with an agent editing OpenClaw routing, starting a background proxy, and handling provider API keys. Before use, require confirmation for elevated exec changes and API-key pass-through, prefer pinned versions, back up config files, and confirm how to stop and remove the proxy.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change model routing, edit local OpenClaw files, install software, or start/stop processes before the user has reviewed each change.
This directs the agent to make config, file, command, and process changes proactively. Setup work is purpose-aligned, but the visible instructions do not clearly bound approval, backup, or rollback for high-impact changes.
Default to doing the work yourself. Ask the user only when you truly need... Prefer direct config edits, file edits, and process control over telling the user to type commands manually.
Require explicit confirmation before config writes, package/container installs, process control, or provider-routing changes; make backups and provide rollback instructions.
A current or future agent session could gain broad elevated command capability, increasing the risk of system-level changes outside the user's intended setup.
The skill suggests self-patching OpenClaw to allow wildcard elevated exec from a provider. This is broader than the SafeClaw setup task and could authorize arbitrary elevated commands beyond Docker setup.
If `gateway config.patch` is available, prefer patching it yourself... "tools": { "elevated": { "enabled": true, "allowFrom": { "webchat": ["*"] } } }Do not apply wildcard elevated exec automatically. Use a least-privilege allowlist, require user approval, and revert the elevated permission after the setup step is complete.
Provider API keys could be exposed to the proxy/container and used for model calls or billing without the user realizing they were passed through.
The skill may use readable provider API keys without clearly requiring explicit user consent, and it says the keys are not required for the proxy itself.
If `OPENAI_API_KEY` or `ANTHROPIC_API_KEY` are present, you may pass them through, but they are not required for the proxy itself.
Ask before passing any API key, explain why it is needed, declare the credential requirement in metadata, and only pass narrowly scoped keys when necessary.
The user may run a different proxy build than the one the skill author tested, including future changed dependencies.
The setup uses external container and Python package sources without pinned versions or image digests. That is common for setup instructions, but it means the installed code can change over time.
{CONTAINER_CMD} run -d --name safeclaw-proxy -p {HOST_PORT}:8899 ghcr.io/aceteam-ai/aep-proxy:latest ... `uv pip install aceteam-aep[all]`Prefer pinned image digests or package versions, and verify the publisher and release before installing.
Model requests routed through SafeClaw may be visible to or processed by the proxy/dashboard, especially if using a hosted proxy URL.
The skill intentionally routes real model traffic through a proxy and dashboard. This is disclosed and purpose-aligned, but prompts, responses, metadata, or provider credentials may pass through that boundary.
At least one real client path is pointed at the proxy... The user understands which traffic will and will not appear on the dashboard.
Use only trusted SafeClaw proxy URLs, understand what data is logged or shown on the dashboard, and avoid routing sensitive traffic unless the proxy is approved.
The proxy may keep running after the setup conversation ends and continue to receive traffic from configured clients.
The local setup starts a detached container or background process. This is expected for a proxy service, but it persists beyond the immediate setup command.
{CONTAINER_CMD} run -d --name safeclaw-proxy ... `aceteam-aep proxy --port {HOST_PORT} > /dev/null 2>&1 &`Make sure the user knows how to stop, restart, inspect logs for, and remove the SafeClaw proxy service.