Manus AI Skill for OpenClaw
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Manus API wrapper, but it delegates broad autonomous actions to a remote agent with connected-account access and too few built-in approval or boundary controls.
Install only if you trust Manus and the publisher with delegated autonomous work. Use a limited Manus API key, connect only necessary services, require manual confirmation for Slack/Calendar/booking or other account-changing actions, avoid uploading sensitive files, and do not expose the webhook server publicly without authentication and event verification.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An OpenClaw agent could ask Manus to take actions that spend money, change calendars, or post to workspaces if the connected accounts allow it.
The documented prompt-driven workflow can delegate high-impact actions such as bookings and posting messages to a remote autonomous agent, but the artifacts do not describe approval checks or action limits before those mutations occur.
python3 run_task.py "Reserva un vuelo de NYC a LA para el 15 de marzo" ... python3 run_task.py "Publica un mensaje en el canal #anuncios"
Use only with explicit user approval for account-changing or financial actions, and avoid connecting services unless you can limit scopes and revoke access.
Granting this skill access may let the remote Manus agent read email/calendar data or modify Notion, Calendar, and Slack content through connected sessions.
The skill advertises access to authenticated third-party services and persistent service sessions, but the artifacts only declare the Manus API key and do not bound connector scopes, account permissions, or revocation behavior.
Manus incluye conectores integrados: Gmail ... Notion ... Google Calendar ... Slack ... - Mantiene sesiones de servicios autenticados
Connect only low-risk accounts, prefer least-privilege connector scopes, and verify how Manus stores and revokes authenticated sessions before use.
If exposed beyond localhost, anyone who can reach the port could send fake Manus webhook events that may mislead the user or any workflow watching the server output.
The webhook server listens on all interfaces and processes POST bodies without checking a signature, shared secret, or sender identity.
server = HTTPServer(("0.0.0.0", args.port), WebhookHandler) ... if self.path == "/webhook/manus": ... data = json.loads(body.decode("utf-8"))Bind the webhook server to localhost unless needed publicly, place it behind authentication/TLS, and add Manus webhook signature or shared-secret validation before trusting events.
Files you choose to upload may contain private or confidential data that becomes available to Manus for task context.
The upload helper sends a user-selected local file to the Manus API. This is expected for the skill's purpose, but it is a sensitive data flow to an external provider.
with open(file_path, "rb") as f: ... response = requests.post(url, files=files, headers=headers)
Upload only files intended for Manus processing, and remove secrets or personal data that are not needed for the task.