Manus AI Skill for OpenClaw
Security checks across malware telemetry and agentic risk
Overview
This skill openly connects to Manus, but it can delegate broad autonomous actions and connected-account changes to an external service without clear approval, scope, or stopping limits.
Install only if you trust Manus and the publisher with the tasks and connected accounts involved. Use least-privilege accounts, avoid uploading sensitive files unless necessary, require explicit confirmation before bookings, posts, calendar changes, or other account mutations, and secure or avoid the webhook server unless you need it.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could ask Manus to perform actions that spend money, change accounts, or affect external systems before the user has reviewed the final action.
The skill exposes an arbitrary prompt-to-autonomous-agent interface for high-impact actions such as booking travel and installing software, without documented approval gates or action limits.
python3 run_task.py "Reserva un vuelo de NYC a LA para el 15 de marzo" ... "Tiene acceso a internet completo" ... "Puede instalar software"
Require explicit user confirmation before financial, posting, scheduling, software-installing, or account-changing tasks, and keep prompts tightly scoped.
Connected Gmail, Calendar, Notion, or Slack accounts could be read from or modified through Manus with unclear limits.
The skill describes delegated access to sensitive connected services and persistent authenticated sessions, but does not state scopes, consent boundaries, or safeguards for reads and mutations.
Manus incluye conectores integrados: Gmail, Notion, Google Calendar, Slack ... "Lee mis últimos 5 correos" ... "Publica un mensaje" ... "Mantiene sesiones de servicios autenticados"
Use least-privilege connector accounts, review Manus connector permissions, and require confirmation before any action that reads private data or changes third-party accounts.
A task may keep consuming credits or acting in external systems after the user stops watching the command.
The script can start external Manus tasks that continue running after the local process stops waiting; combined with broad automation powers, this reduces user control unless separately monitored.
help="Don't wait for completion, just return task ID" ... "Timeout after {timeout}s - Task still running"Monitor task status in Manus, avoid no-wait mode for high-impact tasks, and add or document a cancellation/stop workflow.
Anyone who can reach the port could send fake webhook events or noisy data to the local server.
The optional webhook server listens on all network interfaces and processes webhook JSON without visible signature or shared-secret verification.
server = HTTPServer(("0.0.0.0", args.port), WebhookHandler) ... json.loads(body.decode("utf-8")); self.handle_manus_webhook(data)Bind the webhook server to localhost unless public exposure is needed, use firewalling, and add webhook signature or secret verification.