ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

New Agent Setup

v1.0.0

Set up a new OpenClaw agent end-to-end, including info gathering, Discord bot & channel setup, config edits, OneDrive access, cron jobs, and final verification.

0· 60·1 current·1 all-time
by@boltth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (new-agent end-to-end setup) matches the instructions: gathering Discord details, editing openclaw.json, creating HEARTBEAT/MEMORY files, adding cron jobs, and optionally linking OneDrive. Required actions and targets are coherent for this purpose.
Instruction Scope
SKILL.md explicitly instructs modifying ~/.openclaw/openclaw.json, writing MEMORY.md/HEARTBEAT.md, updating crontab, restarting the gateway, and storing the Discord bot token under channels.discord.accounts. Those actions are all within onboarding scope but involve writing sensitive info and system-wide cron changes; the instructions are prescriptive rather than vague.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by the skill itself. This is the lowest install risk.
Credentials
No declared environment variables or external credentials in metadata, but the runtime instructions require a Discord Bot Token/Application ID and direct you to place the token into openclaw.json. Requesting the Discord token is expected for this integration, but storing tokens in config files and instructing 'set all permissions to Allow' are sensitive operations that should be minimized and protected.
Persistence & Privilege
always:false and no install-time persistence. The skill can be invoked by the model (default) but is not force-enabled; it does not request modification of other skills' configs or system policies.
Assessment
This skill is a step-by-step checklist for onboarding an OpenClaw agent and is coherent with that purpose, but it will guide a human (or an agent) to: 1) collect a Discord bot token and place it in ~/.openclaw/openclaw.json, 2) change system crontab entries, and 3) restart gateway services. Before using it: - Confirm you trust the person following these steps (named 'Gus' in docs) and that Tom intends to provision the bot. - Avoid granting the Discord bot more permissions than required; don't set 'all permissions: Allow' unless necessary. - Prefer storing secrets in a secure store or with appropriate file permissions rather than world-readable config files; at minimum ensure openclaw.json is only readable by the service owner. - Back up ~/.openclaw/openclaw.json and review diffs before applying changes. - When enabling OneDrive access, verify any OAuth/token flows and do not expose account passwords. - Review crontab changes carefully to avoid privilege escalation or unintended scheduling. If you want higher assurance, request an author identity/homepage for the skill or ask for a small demo run in a non-production environment to confirm exactly what files will be written.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bx57m1dq0q5496k7m7a3vk983jpv5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments