Skillv1.0.0

ClawScan security

agent-manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 8:11 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a tool that manages OpenClaw agent configs and Matrix accounts; nothing indicates hidden exfiltration or unrelated credential access, but it does store access tokens in plaintext configuration and uses predictable passwords by default so exercise caution.
Guidance: This skill appears to do what it says: create/manage agents, register Matrix accounts, store tokens and bind agents. Before running it: (1) verify the HOMESERVER_URL points to a trusted Matrix server; (2) inspect ~/.openclaw/tmp-workspace (and any files it will copy) to avoid installing unwanted files; (3) be aware that Matrix access tokens will be written in plaintext to your openclaw.json—restrict file permissions or encrypt the file if needed; (4) consider overriding the default predictable password used by setup_agent.sh with a stronger secret; and (5) back up your openclaw.json before mass changes. If you need the skill to avoid persisting secrets, request or modify the scripts to use a secure credential store instead of plain JSON.

Review Dimensions

Purpose & Capability: okName/description (agent lifecycle, Matrix account registration, bindings) match the included scripts and SKILL.md: scripts add/remove agents, register/login to Matrix, write accounts and bindings into openclaw.json. No unrelated services or credentials are requested.
Instruction Scope: noteInstructions operate on the OpenClaw config (default ~/.openclaw/openclaw.json) and a Matrix homeserver (HOMESERVER_URL). They read/write local config and call the Matrix API only; SKILL.md mentions HOMESERVER_URL and CONFIG_PATH although the registry metadata declared no required env vars (these are optional). The one-scripts flow (setup_agent.sh) copies a local tmp-workspace into a new workspace which could introduce unwanted files if that directory is untrusted—user should inspect tmp-workspace before running.
Install Mechanism: okNo install spec; this is a script/python-based bundle. No network-based installers or third-party package downloads are performed by the skill itself. Dependencies are standard (python3, curl, pypinyin).
Credentials: noteThe skill handles Matrix access tokens (it obtains them via the homeserver and writes them into openclaw.json). Although no required secrets are declared in registry metadata, this behavior is expected for a manager that stores account credentials. Important security note: access tokens are persisted in plaintext within the JSON config file and the setup script generates a predictable password pattern (agent_id + fixed suffix). Users should be aware and may want to supply stronger passwords and secure the config file (filesystem permissions, encryption).
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide agent settings. It writes to its own application config (openclaw.json) and creates agent workspace directories—this is expected for its purpose.