v0.5.0

OpenClaw Continuity Pack

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:40 AM.

Analysis

Review before installing: the pack is mostly coherent for continuity, but it promotes broad no-approval execution settings, persistent hidden handoff/memory behavior, and its advertised runtime patch asset is missing from the provided package.

GuidanceUse workspace-only or continuity-only mode if you only need templates. Before using the full route, confirm the patch file is actually present and review it. Do not copy the example config with full/elevated/ask-off execution unless you intentionally want a highly trusted local agent, and edit AGENTS.md to match your approval and privacy preferences.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

assets/config/openclaw.example.json

"tools": { "profile": "full", "elevated": { "enabled": true ... }, "exec": { "host": "gateway", "security": "full", "ask": "off" } }

The bundled example config tells users to enable full tool access, elevated mode, and no-approval gateway execution. That is a high-impact authority level for a continuity pack.

User impactIf copied as-is, the agent could run powerful local or gateway commands without asking first.

RecommendationDo not use ask=off, full security, or elevated mode unless you intentionally want a fully trusted agent. Prefer scoped tools, ask-on approval, and disabled elevated mode by default.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

assets/workspace/AGENTS.md

When the user gives you a task, continue autonomously until the task reaches maximum completion. ... Don't ask permission. Just do it.

The installed workspace instructions change how the agent stops, asks for permission, and works silently. This is related to the continuity goal, but it is broad behavior-control text that can affect all future tasks in that workspace.

User impactThe agent may take many steps, read files, and update workspace state before checking back with you.

RecommendationReview and edit AGENTS.md after installation. Keep the continuity rules you want, but remove or narrow broad autonomy and no-permission language.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/apply_runtime_patch.py

patch_path = ... / "assets" / "patch" / "thread-continuity.patch"
if not patch_path.exists():
    print(f"ERROR: patch not found: {patch_path}")

The full continuity workflow depends on a bundled runtime patch, but the supplied file manifest and file contents do not include assets/patch/thread-continuity.patch even though the docs repeatedly claim it is included.

User impactUsers cannot verify or apply the advertised runtime patch from the supplied package, and the main full-install route may fail or rely on an out-of-band patch source.

RecommendationDo not use the full runtime patch route until the patch file is present in the package and has been reviewed. Treat workspace-only or continuity-only installation as the safer route.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusNote

scripts/apply_runtime_patch.py

run(["pnpm", "build"], cwd=source_root)
run(["pnpm", "ui:build"], cwd=source_root)

The full route runs build commands in a user-supplied OpenClaw source tree. This is expected for source patching, but it executes the target project’s build scripts.

User impactRunning the full route can execute local build logic and modify/rebuild an OpenClaw installation.

RecommendationRun this only in a reviewed source tree, preferably in a test environment, and make backups before applying or rebuilding.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

assets/config/openclaw.example.json

"token": "<REPLACE_WITH_GATEWAY_TOKEN>" ... "apiKey": "<REPLACE_WITH_API_KEY>"

The example config expects users to add gateway and provider credentials. No real credentials are hardcoded, but installing users must handle these secrets carefully.

User impactMisplaced or over-scoped API keys and gateway tokens could give the agent or gateway more access than intended.

RecommendationUse least-privilege tokens, keep secrets out of shared workspace files, and avoid committing filled-in config files.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

references/overview.md

successor 中保留 hidden handoff，但不把 handoff 泄露到用户可见历史

The continuity design intentionally keeps handoff context in successor sessions while hiding it from the user-visible chat history. This is disclosed and purpose-aligned, but it creates non-obvious persistent context that can influence later responses.

User impactFuture agent behavior may depend on hidden handoff or memory files that are not visible in the normal chat transcript.

RecommendationInspect and prune memory, status, and handoff files regularly. Use this feature only if you are comfortable with hidden continuity context.