v0.1.0

Manus AI Skill for OpenClaw

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:16 AM.

Analysis

This is a disclosed Manus API wrapper, but it can delegate broad account-changing work to a remote autonomous agent, so users should review scopes and approvals carefully before installing.

GuidanceInstall only if you trust Manus and the skill publisher. Connect the minimum necessary third-party accounts, avoid uploading sensitive files unless required, and require explicit confirmation before the agent posts messages, schedules events, books travel, spends credits, or modifies external services. If using webhooks, keep the server private or add signature verification.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

python3 run_task.py "Reserva un vuelo de NYC a LA para el 15 de marzo" ... python3 run_task.py "Publica un mensaje en el canal #anuncios"

The skill presents run_task.py as a generic remote-autonomous task launcher and includes examples that can spend money or publish/change third-party account state, without documented confirmation, allowlist, or rollback controls.

User impactAn agent could delegate broad actions to Manus that affect purchases, public channels, calendars, or other accounts if prompts are imprecise or used without explicit review.

RecommendationRequire separate user confirmation before purchases, posts, calendar changes, account mutations, or other irreversible actions; restrict connectors and prompts to the minimum needed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

README.md

git clone https://github.com/disier/clawdbot-skill-manus.git
cd clawdbot-skill-manus

# Install dependencies
npm install

The manual installation path depends on an external repository; no hidden installer or postinstall behavior is shown in the provided package, so this is a provenance note rather than evidence of malicious behavior.

User impactUsers who install manually could run code from a repository that should be verified independently.

RecommendationInstall from a trusted source, inspect the repository before use, and avoid running unreviewed updates automatically.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Manus incluye conectores integrados: ... Gmail ... Notion ... Google Calendar ... Slack ... Mantiene sesiones de servicios autenticados

The skill can use authenticated third-party service sessions, but the artifacts do not describe connector scopes, session lifetime, revocation, or per-action approval requirements.

User impactConnected Gmail, Notion, Calendar, or Slack accounts could be read or changed through the remote Manus service depending on the connected permissions.

RecommendationConnect only accounts and scopes that are necessary, review Manus connector permissions, revoke unused sessions, and require user approval for any read/write action on private or business accounts.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

scripts/webhook_server.py

server = HTTPServer(("0.0.0.0", args.port), WebhookHandler) ... data = json.loads(body.decode("utf-8")); self.handle_manus_webhook(data)

The webhook server listens on all network interfaces and processes JSON webhook events without checking a signature, shared secret, source identity, or authentication header.

User impactIf exposed, other network actors could send fake Manus webhook events and cause misleading task status output.

RecommendationBind the webhook server to localhost by default or protect it behind a trusted reverse proxy, and verify webhook signatures or shared secrets before processing events.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

scripts/upload_file.py

with open(file_path, "rb") as f:
        files = {"file": (os.path.basename(file_path), f)}
        response = requests.post(url, files=files, headers=headers)

A user-specified local file is uploaded to the Manus API as remote task context; this is purpose-aligned, but the artifacts do not describe retention or reuse boundaries for uploaded context.

User impactSensitive documents uploaded for context may be processed by the remote service and influence downstream task results.

RecommendationUpload only files needed for the task, remove secrets or personal data first, and check Manus retention and deletion controls.