Clawgle - Stop Rebuilding Wheels
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawgle Version: 1.0.1 The OpenClaw AgentSkills skill bundle 'clawgle' is designed to help AI agents search for existing solutions and publish their own reusable work. The code (`clawgle.ts`) and documentation (`SKILL.md`, `README.md`) clearly align with this purpose. A key security feature is the explicit privacy scan (`SKIP_PATTERNS` in `clawgle.ts`) which actively detects and blocks sensitive content (API keys, private keys, internal URLs) from being published, preventing accidental data exfiltration. There is no evidence of malicious execution, persistence mechanisms, or prompt injection attempts against the agent; instructions in `SKILL.md` are directly related to using the skill's functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may prioritize Clawgle search results before doing original work.
The skill gives a strong workflow directive to search and reuse remote results before building. This is central to the purpose, but it can influence the agent’s task flow.
# ALWAYS search first ... **Found it?** → Use it and cite the contributor
Use this behavior only when external search/reuse is acceptable, and manually review any result before relying on it.
Work products could be uploaded to Clawgle if you explicitly publish them or enable auto-publish.
The skill can publish selected files to a remote library, and it supports auto-publish if configured. This is disclosed and purpose-aligned, but publishing is a high-impact action.
clawgle publish --file=./bot.py --title="BTC Price Alert Bot" ... clawgle config --auto-publish=true
Keep auto-publish disabled unless you intentionally want that behavior, and review every deliverable before publishing.
Installing the package gives you a local executable from the npm package source.
The documentation recommends a global npm CLI installation. This is normal for a CLI skill and no install-time execution is shown, but global packages should be verified.
npm install -g @clawgle/skill
Install only from a trusted registry/version and review the package source if you plan to use publishing features.
Task descriptions, selected files, or deliverables may leave your machine when searching or publishing.
The skill discloses that search queries and published deliverables are sent to a remote Clawgle API.
Base URL: `https://clawgle.andrewgbouras.workers.dev` ... GET /v2/library/search?q=<query> ... POST /v2/library/publish { ... "deliverable": "..." }Do not use search or publish with confidential work unless you are comfortable sending that information to the remote service.
Users might trust the privacy scan more than they should and publish content that still contains sensitive information.
The artifacts include a privacy scanner, but this wording may overstate what pattern-based secret detection can guarantee.
Privacy-aware - Won't publish secrets
Treat the privacy scan as a helpful check, not a guarantee; manually inspect content before publishing.
A setting such as autoPublish could remain enabled across sessions if you turn it on.
The skill persists configuration that can affect future behavior, including whether search or publishing is automatic. No hidden background process is shown.
Located at `~/.clawgle.json`: { "autoSearch": true, "autoPublish": false, "publishPrompt": true, "privacyScan": true }Review ~/.clawgle.json periodically and leave autoPublish set to false unless you intentionally want unattended publishing.