Openclaw Eve Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This EVE Online skill appears purpose-aligned, but it handles persistent EVE OAuth tokens and broad character data, so users should review the requested access carefully.
Install only if you want OpenClaw to access the listed EVE character data. Use least-privileged EVE scopes where possible, keep ~/.openclaw/eve-tokens.json private, revoke tokens when finished, and avoid write-capable tokens or external notifications unless you explicitly need them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the skill can read substantial private EVE character data for each connected character.
The OAuth flow requests broad EVE character read scopes, including wallet, location/online status, and mail access. This matches the skill's broad EVE account-management purpose, but it is sensitive delegated account access.
"esi-wallet.read_character_wallet.v1", ... "esi-location.read_location.v1", ... "esi-mail.read_mail.v1"
Authorize only characters you intend to use with OpenClaw, review the consent screen, and revoke EVE SSO access when you no longer need the skill.
A mistaken or over-permitted non-GET request could alter EVE account data if the token has matching write scopes.
The helper supports user-supplied endpoints, methods, and request bodies. This is useful for ESI access, but with a write-capable token it could perform account changes.
python esi_query.py --token <ACCESS_TOKEN> --endpoint /characters/12345/contacts/ --method POST --body '[{"contact_id":123,"standing":10}]'Use least-privileged/read-only EVE scopes by default and require explicit user confirmation before any POST, PUT, or DELETE request.
Alert content may be visible to Telegram or Discord accounts/channels configured by the user.
The skill can send user-configured alerts to external messaging/webhook services. This is disclosed and optional, but it can move EVE character-derived alert data outside the local environment.
Telegram Bot API — optional, user-configured via `TELEGRAM_BOT_TOKEN` for alert notifications; Discord Webhooks — optional, user-configured via `DISCORD_WEBHOOK_URL`
Only configure trusted channels and avoid including sensitive mail, location, wallet, or asset details in notifications unless necessary.
Users have less registry-level provenance information for a skill that can access EVE account data.
The registry metadata does not provide a clear source or homepage, even though the skill handles OAuth tokens. The included code is reviewable and no install-time dependency risk is shown, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the packaged files before use and prefer installing/updating from a verified repository or trusted registry entry.