TeamClaw
WarnAudited by ClawScan on May 10, 2026.
Overview
TeamClaw is a coherent multi-agent server, but it needs review because its bot and external-API flows can use powerful credentials too broadly.
Install only if you intend to run a full local multi-agent server. Before enabling bots, public tunneling, external OASIS endpoints, or command tools, configure strong users/passwords, restrict QQ/Telegram access, avoid reusing OpenClaw keys for third-party APIs, and review what persistent profile data and scheduled jobs are stored.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workflow could disclose or misuse the OpenClaw API key when calling an unrelated external model endpoint.
The guide describes arbitrary external API endpoints while reusing OPENCLAW_API_KEY as the runtime key. That can send an OpenClaw credential to a non-OpenClaw service if a workflow points at an external URL.
Type 4: External API (`tag#ext#id`) ... Directly calls any OpenAI-compatible API ... api_url: "https://api.deepseek.com" ... api_key: "****" # Masked — real key auto-read from OPENCLAW_API_KEY env var
Do not reuse OPENCLAW_API_KEY for arbitrary external APIs. Require an explicit per-domain API key, validate or allowlist external URLs, and warn before sending credentials or conversation context outside OpenClaw.
Any QQ message that reaches the bot may be able to invoke the agent as the same TeamClaw user, including any tools enabled for that user.
The QQ bot forwards private and group messages to the agent using one configured system username and internal-token format. The provided QQ bot code does not show a per-user whitelist or identity mapping like the Telegram bot does.
QQ_BOT_USERNAME = os.getenv("QQ_BOT_USERNAME", "qquser") ... "api_key": f"{INTERNAL_TOKEN}:{QQ_BOT_USERNAME}:QQ" ... async def on_c2c_message_create ... await self.handle_main_logic(message) ... async def on_group_at_message_create ... await self.handle_main_logic(message)Add QQ allowlists and per-user identity mapping before enabling the QQ bot, and avoid giving the bot account access to high-impact tools unless necessary.
A misdirected or overly broad agent task could change files or run commands within TeamClaw's allowed environment.
The system prompt grants agents file mutation and command/code execution tools. It mentions a sandbox and command whitelist, so this is purpose-aligned, but it remains high-impact authority.
文件管理:可以为用户创建、读取、追加、删除和列出文件 ... 指令执行:可以在用户的安全沙箱目录中执行系统命令和 Python 代码 ... run_command ... run_python_code
Review the command whitelist, sandbox path, enabled tools per session, and require user confirmation for destructive or broad operations.
If authentication or bot/user setup is weak, remote users could reach the TeamClaw UI or push service.
The public tunnel is documented and user-directed, but it exposes local agent services to the public internet.
Run a single command to expose the entire service to the internet — zero configuration, no account needed: python scripts/tunnel.py ... Exposes both the Web UI (port 51209) and Bark push service (port 58010)
Only enable tunneling intentionally, use strong user passwords, rotate tokens, and verify which ports and services are exposed.
Future installs could pull changed or compromised dependency versions.
The dependency list is unpinned, so installs may resolve to different package versions over time.
flask requests fastapi uvicorn pydantic langgraph ... qq-botpy python-telegram-bot ... static_ffmpeg
Use pinned versions or a lockfile, and verify downloaded binaries and Python packages before deployment.
Incorrect, sensitive, or maliciously influenced profile entries may persist and shape future agent behavior.
The agent persists a user profile and automatically reinjects it into future conversations. This is disclosed functionality, but stored profile content can affect later tasks.
每次对话开始时,系统会自动读取该文件内容并注入到你的上下文中 ... 当你在对话中发现用户的重要特征 ... 请主动使用文件管理工具更新 user_profile.txt
Let users inspect, edit, and clear profile files, and avoid storing sensitive personal details unless explicitly requested.
Configured agents, bots, and scheduled jobs may continue running until explicitly stopped.
The skill is designed to run as a background service with scheduled tasks. This is core to the product, but it means activity can continue outside the immediate chat turn.
bash selfskill/scripts/run.sh start # Start in background ... Scheduled Tasks: An APScheduler-based task scheduling center
Use the documented stop/status commands, review scheduled tasks regularly, and disable integrations that are not needed.