Solvea Chat
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims, but its setup and logging handle credentials, customer messages, and persistent agent configuration in ways users should review carefully.
Before installing, back up your OpenClaw configuration and any existing agent workspace, use a dedicated new agent if possible, avoid running setup in a shared or recorded terminal, and review or disable full chat logging if customer messages may contain sensitive information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Solvea API token could be exposed in terminal scrollback, logs, screen sharing, or support transcripts.
The setup writes the Solvea X-Token to .env and, when an existing .env is present, prints the file contents back to the terminal without masking the API key.
cat "$TARGET_SKILL_DIR/.env" | sed 's/^/ /'
...
SOLVEA_API_KEY=${api_key}Mask secrets when displaying existing configuration, declare the required credential in metadata, and set restrictive permissions on the .env file.
Customer-service conversations may include personal or business-sensitive information that remains on disk beyond the immediate chat.
The runtime persistently logs peer IDs, chat IDs, user messages, and Solvea API responses to a local memory log.
LOG_FILE = _WORKSPACE_ROOT / "memory" / "solvea-chat.log"
...
logging.info("chat peer_id=%s chat_id=%s message=%r", peer_id, chat_id, message)
logging.debug("api result: %s", json.dumps(result, ensure_ascii=False))Avoid logging full message contents and API responses by default, redact identifiers and sensitive fields, document retention behavior, and provide a cleanup or opt-out setting.
Installing the skill can change how an OpenClaw agent behaves in future sessions and can reroute an entire channel’s messages to the Solvea-backed agent.
The setup script writes persistent workspace instruction files and can replace an existing channel binding; for an existing agent, those workspace files are written without a separate backup or per-file confirmation in the shown code.
render_template "$TEMPLATES_DIR/IDENTITY.md" "$AGENT_WORKSPACE/IDENTITY.md" render_template "$TEMPLATES_DIR/AGENTS.md" "$AGENT_WORKSPACE/AGENTS.md" render_template "$TEMPLATES_DIR/SOUL.md" "$AGENT_WORKSPACE/SOUL.md" ... echo -n " 是否覆盖?原有绑定将被移除 [y/N]: "
Prefer creating a new dedicated agent, back up openclaw.json and the workspace before setup, and require explicit confirmation before overwriting existing prompt/config files.
Future package releases could change behavior or introduce dependency risk during installation.
The setup installs Python dependencies with lower-bound version ranges rather than pinned versions.
httpx>=0.27.0 python-dotenv>=1.0.0
Use pinned versions and, ideally, hashes or a lockfile for reproducible installs.
The agent may remain silent at session start and will rely on Solvea for customer-service replies rather than answering independently.
The generated agent instructions deliberately change boot behavior and require the agent to route eligible replies through this skill.
不发送任何消息,覆盖 OpenClaw 的 "greet the user" 指令 ... 对每一条需要回复的用户消息:先调用 solvea-chat skill。
Install only for channels where this Solvea-controlled customer-service behavior is intended.