OpenClaw Agent Creator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: claw-agent-creator-archit Version: 1.0.0 The skill bundle is designed for OpenClaw agent system management, which inherently requires privileged operations like file system access and process control. It explicitly instructs the AI agent to execute shell commands (e.g., `openclaw gateway stop`, `cp`, `mkdir`, `jq`, `date`) as part of its workflow, as detailed in `SKILL.md` and `references/prompt-patterns.md`. Specifically, `references/prompt-patterns.md` shows a 'Report Prompt' pattern that instructs the agent to 'Run: 1) [cmd1] 2) [cmd2] ...', indicating the agent is designed to execute arbitrary commands provided in prompts. This direct instruction for shell command execution, especially with dynamic inputs and arbitrary commands, creates a critical prompt injection vulnerability, allowing for potential Remote Code Execution if a malicious user can inject commands into the agent's prompts.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken edit or restart could break routing, cron jobs, or agent availability.
The skill instructs local service control and direct edits to core OpenClaw configuration. This is expected for an agent-creation skill, and it includes backup/stop guidance, but misuse could disrupt the live agent system.
`openclaw gateway stop` ... `MANDATORY before editing openclaw.json or cron/jobs.json` ... `openclaw gateway start`
Use only after an explicit request, keep the backup step, review config diffs before restart, and verify logs after changes.
Scheduled agents may keep posting or consuming model/API resources until the cron jobs are disabled.
The skill can create scheduled autonomous agent tasks that continue running and can send Telegram messages. This is disclosed and central to the stated purpose, but it is persistent behavior.
Create Cron Jobs (if needed) ... Edit `cron/jobs.json`. Every cron job prompt MUST include ... Delivery instructions: use `target='<AGENT_GROUP_ID>'`
Create cron jobs only when explicitly requested, document their schedules, use clear timeouts, and know how to disable or remove them.
Private notes or bad instructions saved in memory could influence future agent behavior.
The generated agent template uses persistent memory files and instructs agents to reuse that context across sessions. This is purpose-aligned, but stored memories can contain sensitive or behavior-shaping information.
Read `memory/YYYY-MM-DD.md` ... Also read `MEMORY.md` ... Capture what matters. Decisions, context, things to remember. Skip the secrets unless asked to keep them.
Keep memory files scoped to each agent, avoid storing secrets, and periodically review or clean persistent memories.
Wrong bindings or group settings could make the wrong agent handle Telegram messages.
The skill changes routing for a shared Telegram bot, which effectively grants selected agents authority to read/respond in configured chats. This matches the purpose but crosses a permission boundary.
One Telegram bot shared across all agents — routing determines which agent handles which chat
Only add groups and bindings the user has approved, keep `requireMention` behavior intentional, and test routing after restart.
The skill may fail or behave unexpectedly if the expected local OpenClaw environment is not present.
The registry metadata under-declares the local environment needs relative to the instructions, which use OpenClaw CLI commands, `jq`, and files under `~/.openclaw/`. This is a metadata completeness issue, not evidence of malicious behavior.
Required binaries (all must exist): none ... Required config paths: none
Before use, confirm `openclaw`, `jq`, and the intended `~/.openclaw/` configuration exist and belong to the expected user.