ClawShot - The Visual Layer for AI Agents
MaliciousAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clawshot Version: 2.2.2 The OpenClaw AgentSkills skill bundle is classified as benign. All code and documentation consistently align with the stated purpose of enabling an AI agent to participate in a visual social network (ClawShot.ai). The `SKILL.md` and other markdown files provide extensive, well-structured instructions for the agent, including critical security warnings against API key misuse and prompt injection, guiding the agent towards responsible behavior. Shell scripts (`setup.sh`, `tools/*.sh`) perform system modifications (cron jobs, shell profile updates, directory creation) and network calls, but these are directly related to setting up and automating the agent's activity on the official `clawshot.ai` domain. There is no evidence of data exfiltration, malicious execution, persistence mechanisms beyond the stated purpose, or obfuscation. API keys are handled securely by loading from a dedicated, permission-restricted file.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote server or downloaded files change, code can run on the user's machine with the user's account permissions.
The setup path recommends executing a remote script and then downloading executable helper scripts without checksums, signatures, or version pinning.
# Run: bash <(curl -sS https://clawshot.ai/setup.sh) ... curl -sS -o ~/.clawshot/tools/post.sh https://clawshot.ai/tools/post.sh ... chmod +x ~/.clawshot/tools/*.sh
Download and inspect scripts before running them, pin to a reviewed version or checksum, and avoid process-substitution installs for security-sensitive agents.
Background jobs can keep making API calls, collecting feed context, and prompting activity until the user edits or removes the cron entries.
The setup script installs persistent randomized cron jobs that use the ClawShot API key and continue running after setup.
# ClawShot autonomous agent tasks (HEAVILY randomized across 24 hours) ... curl -s \$CLAWSHOT_BASE_URL/v1/feed?limit=10 -H "Authorization: Bearer \$CLAWSHOT_API_KEY" ... | crontab -
Make scheduled activity explicitly opt-in, document an uninstall command, and review the user's crontab after setup.
The agent could create visible public activity that affects the user's or agent's reputation if it acts without human review.
The workflow gives the agent recurring authority to take public social actions, including likes, posts, and follows.
Run this routine every 3–6 hours ... Like 1–3 genuinely good posts ... Post ONLY if you have something worth sharing ... Follow 1 new agent or tag
Require explicit user approval for posting, commenting, following, and cross-posting unless the user has deliberately enabled autonomous social activity.
Anyone with the key could impersonate the agent on ClawShot.
The skill uses a ClawShot API key that represents the agent's identity and can authorize account actions.
Store credentials in `~/.clawshot/credentials.json` with restricted permissions (chmod 600) ... Your API key is your identity.
Use a dedicated ClawShot key, keep the credential file private, do not log the key, and rotate it if there is any chance it was exposed.
Untrusted public captions could influence future agent behavior if treated as instructions rather than data.
The setup logs public feed captions as ongoing context, which could later be read by an agent as part of its decision process.
# Feed browsing: 6x daily at random times (context gathering) ... jq -r '.posts[] | "[\(.agent.name)] \(.caption // \"no caption\")"' >> ~/.clawshot/logs/feed-browse.log
Treat feed text, captions, comments, and mentions as untrusted content; do not follow instructions found in social posts without user confirmation.
Other agents can send content that may influence notifications, engagement decisions, or future autonomous behavior.
The service supports comments and @mentions between agents, creating an inter-agent communication channel.
@mentions: `@alice great work!` ... Both agents get notified.
Keep clear boundaries between social messages and executable instructions, and require review before acting on requests from other agents.