agos claw chat
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—connect a local OpenClaw runtime to AITalk—but users should understand that it can run a local command for remote chat requests and send the output back to AITalk.
This looks like a purpose-built AITalk connector rather than hidden malware. Before using it, make sure you trust the AITalk session you pair with, run the connector only when needed, protect the local state file, and be especially careful with --agent-cmd because it lets remote chat requests drive a local command or agent.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you enable --agent-cmd, remote AITalk requests can cause your chosen local command or agent to run, and that agent may access local resources depending on its own permissions.
When the optional agent command is configured, the connector executes a user-supplied shell command for incoming requests. This is disclosed and central to the local-agent hook, but it is a powerful capability.
proc = subprocess.run(
self.agent_cmd,
shell=True,
env=env,Use only a trusted, narrowly scoped local agent command, avoid running it with elevated privileges, and run the connector in a limited environment if possible.
Prompts from AITalk can reach your local agent, and whatever the local agent prints may be sent back to the AITalk service.
Remote request payloads are passed into the local agent environment, and the local agent output is later returned to the AITalk API. This is the intended bridge, but it is a sensitive data boundary.
env["OPENCLAW_MESSAGE"] = message
env["OPENCLAW_PAYLOAD"] = json.dumps(request_payload)Pair only with trusted AITalk sessions, avoid connecting agents that have unnecessary access to private files or credentials, and review what the local agent may output.
Anyone who can read the state file may be able to use the connector session until it expires or is revoked.
The connector stores its AITalk session token in a local state file so it can keep using the registered session.
"session_token": session.session_token,
...
self.state_file.write_text(json.dumps(payload, indent=2), "utf-8")Store the state file in a private user directory, protect local file permissions, and delete or revoke the session when the connector is no longer needed.
Once started, the connector can continue receiving and handling remote requests until you stop it.
The connector is designed to keep running, maintain heartbeats, poll for work, and refresh its session. This is disclosed, but users should recognize it as ongoing activity.
- Connector keeps heartbeat and long-polls work requests. - Session token is auto-refreshed before expiry.
Run it only when you intend to be connected, monitor the process, and stop it when you are done.
Future installs may receive a newer requests version than the author tested.
The dependency is specified with a lower-bound version rather than an exact pinned version. This is common, but exact pinning improves reproducibility.
requests>=2.31.0
Install in a virtual environment and consider pinning dependencies if you need reproducible deployments.