OpenClaw Docs
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows these docs, OpenClaw cron jobs may continue running and triggering agent work after setup.
The documentation describes persistent scheduled agent activity. This is purpose-aligned documentation, but users should notice that following these examples can create ongoing automation.
Cron is the Gateway’s built-in scheduler. It persists jobs, wakes the agent at the right time ... Jobs persist under `~/.openclaw/cron/`
Review cron jobs before creating them, use clear names and delivery targets, and remove or disable schedules you no longer need.
If configured loosely, external systems could trigger agent runs or send untrusted content into OpenClaw.
The documentation explains how external HTTP requests can trigger agent work. It also includes token and safety guidance, so this is a proportionate documentation note rather than suspicious behavior by the skill.
Gateway can expose a small HTTP webhook endpoint for external triggers ... `POST /hooks/agent` ... Runs an **isolated** agent turn
Keep webhook endpoints behind loopback, tailnet, or a trusted proxy; use dedicated tokens; and avoid disabling external-content safety wrappers.
Installed hooks can run code in response to OpenClaw events.
The docs describe executable hook scripts and hook installation. This is expected for OpenClaw hook documentation, but it is a sensitive capability if users install third-party hooks.
Hooks are small scripts that run when something happens ... Install them with: `openclaw hooks install <path-or-spec>`
Only install hooks from trusted sources, review handler code, and keep hook permissions and event triggers narrow.
If a user follows this setup, OpenClaw may receive Gmail message metadata and body snippets using the user’s authorized account.
The Gmail setup documentation involves authenticated Google/Gmail access and forwarding email content into OpenClaw. This is coherent for the documented integration but should be handled carefully.
`gcloud` installed and logged in ... `gog` installed and authorized for the Gmail account ... `--include-body` and `--max-bytes` control the body snippet sent to OpenClaw
Use the least-privileged accounts and tokens available, limit included email body size, and avoid logging sensitive raw payloads.