OpenClaw Docs
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override, unicode-control-chars); human review is required before treating this skill as clean.
This skill appears safe as a documentation reference. Before copying commands from it, especially for cron jobs, hooks, webhooks, Gmail, or messaging channels, confirm what will persist, what account or token it uses, and what data may be sent to OpenClaw or external services. ClawScan detected prompt-injection indicators (system-prompt-override, unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows these docs, OpenClaw cron jobs may continue running and triggering agent work after setup.
The documentation describes persistent scheduled agent activity. This is purpose-aligned documentation, but users should notice that following these examples can create ongoing automation.
Cron is the Gateway’s built-in scheduler. It persists jobs, wakes the agent at the right time ... Jobs persist under `~/.openclaw/cron/`
Review cron jobs before creating them, use clear names and delivery targets, and remove or disable schedules you no longer need.
If configured loosely, external systems could trigger agent runs or send untrusted content into OpenClaw.
The documentation explains how external HTTP requests can trigger agent work. It also includes token and safety guidance, so this is a proportionate documentation note rather than suspicious behavior by the skill.
Gateway can expose a small HTTP webhook endpoint for external triggers ... `POST /hooks/agent` ... Runs an **isolated** agent turn
Keep webhook endpoints behind loopback, tailnet, or a trusted proxy; use dedicated tokens; and avoid disabling external-content safety wrappers.
Installed hooks can run code in response to OpenClaw events.
The docs describe executable hook scripts and hook installation. This is expected for OpenClaw hook documentation, but it is a sensitive capability if users install third-party hooks.
Hooks are small scripts that run when something happens ... Install them with: `openclaw hooks install <path-or-spec>`
Only install hooks from trusted sources, review handler code, and keep hook permissions and event triggers narrow.
If a user follows this setup, OpenClaw may receive Gmail message metadata and body snippets using the user’s authorized account.
The Gmail setup documentation involves authenticated Google/Gmail access and forwarding email content into OpenClaw. This is coherent for the documented integration but should be handled carefully.
`gcloud` installed and logged in ... `gog` installed and authorized for the Gmail account ... `--include-body` and `--max-bytes` control the body snippet sent to OpenClaw
Use the least-privileged accounts and tokens available, limit included email body size, and avoid logging sensitive raw payloads.