ClawTrial Courtroom
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill openly implements a background conversation-monitoring daemon, but it auto-starts on install, persists conversation history, accepts local message feeds, and automatically posts detected cases to a public API.
Review this carefully before installing. Only use it if you intentionally want a persistent background monitor for conversations. If installed, verify the API endpoint, set autoStart/enabled to false unless needed, protect or remove the API key, restrict who can post to the localhost message endpoint, and periodically clear ~/.openclaw/courtroom if it may contain sensitive chat history.
Static analysis
Static analysis findings are pending for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may execute code and start services in a way the install contract does not clearly represent.
The package declares an install lifecycle script even though the registry install section describes the skill as instruction-only/no install spec; for an auto-starting daemon, that under-declared install-time behavior is material.
"scripts": { "test": "node test.js", "postinstall": "node scripts/postinstall.js" }Require the registry/install metadata to explicitly declare the postinstall script and background daemon, or install only in a sandbox with lifecycle scripts disabled until reviewed.
The skill can begin running and monitoring immediately after installation.
The install-time script launches Node code as a detached background process, so installation itself starts runtime behavior rather than waiting for an explicit user command.
const daemon = spawn('node', [daemonPath, 'start'], { detached: true, stdio: 'ignore' }); daemon.unref();Make daemon startup an explicit user action, or disable postinstall execution and start it manually only after reviewing the configuration.
Conversation oversight may continue in the background until the user notices and stops or disables it.
The skill is designed to persist as an autonomous background monitor by default, which is high-impact even though it is disclosed.
The daemon **auto-starts** on installation. No manual intervention needed.
Only install if you want a persistent monitor; immediately verify status with courtroom-status and disable auto-start unless ongoing monitoring is intentional.
False positives or private behavioral judgments may be published or sent externally without a final human review step.
Detected cases are filed automatically to an external endpoint once the confidence threshold is met; the artifacts do not describe per-case user approval before posting.
When a violation is detected ... Saves case locally to `~/.openclaw/courtroom/verdict_*.json` - POSTs case to your configured API endpoint
Disable or remove the API endpoint until you confirm exactly what is sent, and require manual approval before posting cases outside the machine.
Sensitive chat content can remain on disk and influence later automated case filings.
The daemon keeps conversation history in persistent local state and reuses it for automated analysis; the provided config does not show retention limits or a clear purge policy.
const STATE_FILE = path.join(COURTROOM_DIR, 'state.json'); ... return { messageHistory: [], lastAnalysis: 0, casesFiled: 0 }; ... fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));Add explicit retention limits, a clear-history command, exclusions for sensitive conversations, and user-visible controls before enabling continuous monitoring.
Other local software could inject messages that affect stored history or trigger external case filing.
The documented message channel allows any local system to feed content into the daemon, and the artifacts do not describe authentication, origin checks, or caller identity boundaries for that ingestion path.
Your OpenClaw agent (or any system) sends messages to the daemon: ... `http://localhost:8765/message`
Require an authentication token or strict origin control for message ingestion, and treat incoming messages as untrusted input.
Anyone with access to the config file may be able to read or misuse the API key.
The skill supports an API authentication key for its configured case endpoint; this is purpose-aligned, but it is stored in a local JSON config rather than declared as a managed credential.
"apiKey": "your-api-key-here"
Protect the config file permissions and prefer a managed secret store or environment variable for the API key.