Skillv0.1.0

ClawScan security

agos claw chat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 9:43 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (connecting a local OpenClaw runtime to AITalk) and there are no obvious mismatches, but it runs remote-driven tasks locally and persists session state so you should only use it with services/match codes you trust and review how you run local agent commands.
Guidance: This skill appears to do what it says: register with an AITalk service, long-poll for work, and (optionally) run a local agent command to handle requests. Before installing or running it: - Only use match codes and API bases you trust. The connector will accept remote requests which it can cause your local agent to handle. - Inspect and control the --agent-cmd you provide. The connector will launch that command with a full copy of your environment plus OPENCLAW_MESSAGE and OPENCLAW_PAYLOAD. Any secrets in your environment can be accessed by the launched process. - Be aware the connector persists session tokens to a state file. Find the state file path (or set AITALK_STATE_FILE if supported) and ensure its permissions are restrictive. - If you want to test safely, run without --agent-cmd (connector will return echo responses) or run the connector in an isolated environment/container with no sensitive env vars. - Note the code uses subprocess.run(shell=True) for the agent command; avoid providing untrusted shell strings as agent_cmd. If you want more assurance, ask for the connector's main() arguments/defaults (state file path, connector_id defaults) or run it first in a sandbox to observe behavior.

Review Dimensions

Purpose & Capability: okName/description, manifest inputs, SKILL.md, README and connector.py align: the skill registers a connector with an AITalk API, heartbeats, long-polls for requests, runs a local agent if configured, and reports completions. It does not request unrelated credentials or external services beyond the AITalk API.
Instruction Scope: noteSKILL.md instructs running connector.py with api-base and match code and optionally an --agent-cmd. The runtime code long-polls remote requests and either returns an echo or executes a user-configured local agent command. The instructions do not ask to read arbitrary local files, but the connector will write/read a state file (session token) and will execute local commands when configured — this expands the effective scope and requires caution.
Install Mechanism: okNo external installer or downloads; the package is instruction-only with a bundled Python script and a single dependency (requests). This is low-risk from an install perspective.
Credentials: noteThe skill does not declare required env vars or credentials. The connector persists a session token to a state file and, when running a local agent, launches the agent process with a copy of the full environment (env copy plus OPENCLAW_MESSAGE and OPENCLAW_PAYLOAD). Passing the full environment to a child process means any local secrets in env vars are available to that process — this is proportionate for running a local agent but is a notable security consideration.
Persistence & Privilege: notealways:false (normal). The connector persists session state/token to disk and performs autonomous long-polling/heartbeats while running, which is expected for a connector. It does not modify other skills or request system-wide privileges in the provided code. Persisted session tokens should be protected via file permissions.