OpenClaw Agent Compute
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a coherent compute-gateway client, but it would let an agent run remote commands and manage artifacts with a bearer key while some credential and runtime risks are under-declared.
Install only if you control or strongly trust the compute gateway and runtime. Use a sandboxed, least-privilege API key, confirm the gateway URL is HTTPS, pin the Docker image before using the starter kit, and require human review for command execution or delete/destroy actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes this too broadly or is steered by bad input, it could run commands, consume compute resources, or affect data on the connected compute gateway.
The client exposes a raw command string, working directory, environment, and timeout to a remote compute gateway. The provided artifacts do not show allowlists, approval prompts, or containment rules for this high-impact operation.
export async function computeExec({ session_id, cmd, cwd, env, timeout_s }) { return post('/v1/exec', { session_id, cmd, cwd, env, timeout_s }); }Use only with a sandboxed gateway and least-privilege token. Add explicit approval or policy controls for exec/delete/destroy operations and restrict allowed sessions and commands.
Users may not realize installation/use requires a credential that can authorize remote command execution and artifact/session changes on their compute gateway.
The registry contract says no credential is required, but SKILL.md and scripts/client.js require MCP_COMPUTE_API_KEY and use it as a bearer token for compute gateway operations.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare MCP_COMPUTE_URL and MCP_COMPUTE_API_KEY in metadata, document the exact token scope required, and use a token limited to sandboxed compute sessions.
A changing or incorrect container image could receive the compute gateway URL and API key and operate with the configured tool access.
The starter kit runs an unpinned latest-tag container image and passes the .env configuration into it. The starter-kit README also says the official image/tag still need to be confirmed and pinned.
image: ${OPENCLAW_IMAGE:-ghcr.io/openclaw/openclaw:latest}
env_file:
- .envPin the container image by immutable digest, verify the image source before use, and avoid passing production compute credentials to an unverified starter-kit runtime.
Files or data supplied to artifact helpers can leave the local environment and be stored or processed by the configured compute gateway.
The skill intentionally supports sending artifact bytes to the configured private gateway. This is purpose-aligned, but it is still a sensitive data boundary users should understand.
PUT /v1/artifacts/{session_id}/{path} (upload bytes; `{path}` must be URL-encoded and may include slashes)Point MCP_COMPUTE_URL only at a trusted HTTPS gateway and upload sensitive artifacts only when that data transfer is intended.