OpenClaw Agent Clone
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its cloning purpose, but importing a shared package can overwrite persistent agent files, install package-selected skills, and export raw user/config files despite broad filtering claims.
Use this only with clone packages you fully trust. Inspect exported packages before sharing, and inspect imported JSON for unexpected filenames, skills, rules, tools, identity text, and memory before applying it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed clone package could overwrite files outside the intended OpenClaw workspace, potentially changing or damaging the agent environment.
The filename comes from the imported JSON package and is joined directly to the workspace path without an allowlist, normalization, or rejection of absolute paths/`..` traversal before writing.
for filename, content in package.get('identity', {}).items(): filepath = Path(WORKSPACE) / filename ... write_file(filepath, content)Only import packages from trusted sources. The skill should restrict imports to expected filenames, reject absolute or parent-directory paths, and show a review of files before writing.
Importing a shared package can add unreviewed skills to the agent, changing its future capabilities and behavior.
The imported package controls the list of skill slugs that are installed automatically, with no preview, provenance check, version pinning, or per-skill confirmation.
skills = package.get('skills', []) ... slug = skill.get('slug') ... subprocess.run(['skillhub', 'install', slug], capture_output=True, text=True, timeout=60)Review the skill list before import. The implementation should validate slugs, pin or verify versions, and require explicit confirmation before each skill installation.
A clone package can persistently alter the agent's rules, tools, identity, or memory, causing future sessions to follow imported instructions.
Imported package content is written into persistent agent configuration and optional memory files, so untrusted package text can become reusable future context.
for filename, content in package.get('config', {}).items(): filepath = Path(WORKSPACE) / filename ... write_file(filepath, content) ... package.get('memory', {})Inspect imported AGENTS.md, SOUL.md, TOOLS.md, and MEMORY.md content before applying it, and avoid importing memory or rules from untrusted packages.
Users may share a clone package believing all secrets are filtered, while raw identity, user, tool, rule, or memory files could still contain private information or credentials.
Identity and configuration files are copied into the export package verbatim, while filtering is only applied through `export_config()` for OpenClaw JSON configuration. This is broader risk than the SKILL.md filtering description suggests.
package['identity'][filename] = content ... package['config'][filename] = content ... package['openclawConfig'] = export_config()
Manually inspect and redact exported packages before sharing. The skill should apply filtering to all exported text files or clearly state which files are not sanitized.