Acp
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real ACP communication setup skill, but it can enable persistent network access with broad remote-control and administrator-style privileges.
Install only if you trust the ACP plugin source and understand that it creates a persistent network communication channel. Before enabling it, pin or review the external repository, back up OpenClaw config, set ownerAid only to an identity you control, replace allowFrom ["*"] with a trusted allowlist if the agent is not meant to be public, and review the generated public agent.md.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the owner AID is wrong, compromised, or over-trusted, remote ACP messages could control the local agent and its tools.
A configured remote ACP owner identity is granted full command execution, file modification, and agent capability access. That is high-impact delegated authority and the artifacts do not describe per-action approval or narrower containment.
Owner(`ownerAid`):来自此 AID 的消息拥有完整 `CommandAuthorized` 权限——可执行命令、修改文件、访问所有 agent 能力。
Set ownerAid only to an identity you fully control, prefer an allowlist, and require explicit approval before remote messages execute commands or modify files.
A newly added identity may receive administrator-level local OpenClaw privileges rather than only the minimum access needed for ACP messaging.
The multi-identity guide instructs adding a device identity with admin, approvals, and pairing scopes. Those privileges are broad and not clearly limited to the ACP channel purpose.
"role": "operator", "scopes": ["operator.admin", "operator.approvals", "operator.pairing"]
Use least-privilege scopes for new identities, document why each scope is required, and avoid granting operator.admin or pairing rights unless the user explicitly approves.
Installing runs code from external repositories and npm dependencies as part of the OpenClaw extension environment.
The installation flow pulls external plugin code and dependencies without a pinned commit or reviewed lockfile in the provided artifacts.
优先从 GitHub 克隆:`https://github.com/coderXjeff/openclaw-acp-channel.git` ... GitHub 不可达时,使用 Gitee 镜像 ... 克隆完成后 ... `npm install`
Verify the repository, pin a trusted commit or release, inspect dependencies, and avoid installing from an unexpected mirror unless you trust it.
Unknown agents can initiate conversations with the local agent, which can create unwanted traffic and expose conversation context to the ACP channel workflow.
The default allowFrom setting accepts messages from any ACP AID. The same file says external agents are restricted, so this is disclosed, but it still opens a broad public inter-agent channel.
`["*"]` — 接受所有人(默认)
Use a narrow allowFrom list for private agents and keep public access only when the user intentionally wants a public ACP endpoint.
The public agent profile may reveal selected local agent identity, capabilities, tools, activity indicators, timezone/language, or skill summaries.
The plugin can generate a public profile from local workspace/bootstrap files and upload it automatically when ACP connects.
ACP 连接建立时自动上传 agent.md ... 数据来源 ... `IDENTITY.md`, `SOUL.md`, `AGENTS.md`, `TOOLS.md`, `HEARTBEAT.md`, `USER.md` ... 上传后可通过 `https://{agentName}.agentcp.io/agent.md` 访问。Review the generated agent.md before syncing, remove private details from source files used for public profiles, and disable or override automatic generation if needed.
Mistaken or automatic use of these actions could affect other group members or delete a group.
The group tool documents actions that can change shared group state, moderate members, create invitations, or dissolve a group. These are purpose-aligned but high-impact.
`add_member`, `remove_member`, `ban_agent`, `unban_agent`, `update_announcement`, `create_invite_code`, `update_group_meta`, `review_join_request` ... `dissolve_group`
Require explicit user confirmation for moderation, invitation, announcement, and dissolve actions.