teamclaw_test
WarnAudited by ClawScan on May 10, 2026.
Overview
TeamClaw appears to be a real multi-agent server, but it requests broad command/tool, session, bot, and public-network access without enough clear boundaries in the provided artifacts.
Install only if you need a full multi-agent server. Run it in an isolated environment, use dedicated low-privilege API keys and accounts, do not enable the OpenClaw sessions-file integration or public tunnel until you review the code and configure strong authentication, and keep command/file/code tools tightly restricted.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the subsystem may be able to use or inspect existing OpenClaw session state, which could let it act with more authority than expected.
The skill can be pointed at an existing OpenClaw sessions file, a high-impact local session/auth store, but the artifacts do not clearly bound what is read, reused, or exposed.
`OPENCLAW_SESSIONS_FILE` | Absolute path to OpenClaw sessions.json file (**required when using OpenClaw**) | `/projects/.moltbot/agents/main/sessions/sessions.json`
Do not point it at a main/personal session store unless you have reviewed the code; use a dedicated low-privilege OpenClaw account, scoped API key, and isolated session file.
A mistaken prompt, compromised session, or unsafe workflow could cause local file or code actions if tool access is enabled too broadly.
The documented stateful agents can access file/code/search tools, while the provided artifacts do not clearly define default command limits, approval requirements, or containment for those tool calls.
Stateful ... Each expert gets a persistent session with memory, can invoke search/file/code tools
Disable code/file tools unless needed, set a strict `ALLOWED_COMMANDS` policy, run in a sandboxed directory/container, and require explicit user approval for writes or command execution.
Using the tunnel helper adds trust in the downloaded Cloudflare binary and its retrieval path.
The optional tunnel helper can download and run an external binary. This is disclosed and purpose-aligned, but the provided snippet does not show version pinning or verification.
Auto-detects platform → downloads `cloudflared` if missing → starts tunnels
Install `cloudflared` yourself from an official source if possible, verify the binary/version, and only run the tunnel command intentionally.
Private details or bad instructions saved into memory could influence future agent behavior.
The skill intentionally stores conversation/profile memory and reuses it in later prompts, which is expected for personalization but sensitive.
SQLite-persisted conversation memory ... Profile saved and injected into future conversations
Avoid storing secrets in chats or profiles, periodically review/delete user profile and session data, and keep user accounts isolated.
If exposed publicly with weak credentials or overly broad bot access, other people could reach the UI or notification endpoints.
The skill is designed to bridge local services to external network paths and messaging platforms. This is disclosed, but authentication and whitelists become important.
Exposes both the **Web UI** (port 51209) and **Bark push service** (port 58010) simultaneously
Use strong unique passwords, keep bot whitelists tight, avoid public tunnels unless necessary, and rotate tokens if exposure occurs.
The agent subsystem may continue serving requests, running scheduled tasks, or sending notifications until explicitly stopped.
The service is intended to keep running after startup. This is disclosed and includes stop/status commands, but users should recognize the persistence.
bash selfskill/scripts/run.sh start # Start in background
Use the documented status/stop commands, avoid leaving it running unattended, and run it under a dedicated user or container.