OpenClaw Docs
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-docs Version: 1.0.1 The skill bundle `openclaw-docs` is classified as **suspicious**. The primary purpose of this skill bundle is to provide comprehensive documentation for the OpenClaw agent. The `SKILL.md` and the numerous `references/*.md` files are indeed documentation. However, in the OpenClaw ecosystem, markdown instructions are treated as an attack surface, meaning an AI agent could potentially execute commands or follow instructions found within them. The documentation extensively details how to configure, operate, and troubleshoot OpenClaw, which inherently involves powerful capabilities. Many `Copy``` ` blocks contain direct shell commands (`openclaw ...`, `gcloud ...`, `docker ...`, `ssh ...`, `npm ...`, `pnpm ...`, `curl ...`, `tailscale ...`, `signal-cli ...`, `zca ...`, `ffmpeg`, `ffprobe`, `tccutil`, `launchctl`, `systemctl`, `chmod`, `chown`, `sudo`, `openssl rand -hex 32`) and configuration snippets that, if executed by an AI agent without proper user consent or sandboxing, could lead to significant security risks. Specifically, the following indicators contribute to the 'suspicious' classification: 1. **Arbitrary Code Execution / System Modification**: * **`references/automation/hooks.md`**: Details how to create and install "hooks" with `handler.ts` files, allowing arbitrary TypeScript/JavaScript code execution within the Gateway process. It also mentions the `boot-md` hook which executes `BOOT.md` on startup, and `
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows these docs, OpenClaw cron jobs may continue running and triggering agent work after setup.
The documentation describes persistent scheduled agent activity. This is purpose-aligned documentation, but users should notice that following these examples can create ongoing automation.
Cron is the Gateway’s built-in scheduler. It persists jobs, wakes the agent at the right time ... Jobs persist under `~/.openclaw/cron/`
Review cron jobs before creating them, use clear names and delivery targets, and remove or disable schedules you no longer need.
If configured loosely, external systems could trigger agent runs or send untrusted content into OpenClaw.
The documentation explains how external HTTP requests can trigger agent work. It also includes token and safety guidance, so this is a proportionate documentation note rather than suspicious behavior by the skill.
Gateway can expose a small HTTP webhook endpoint for external triggers ... `POST /hooks/agent` ... Runs an **isolated** agent turn
Keep webhook endpoints behind loopback, tailnet, or a trusted proxy; use dedicated tokens; and avoid disabling external-content safety wrappers.
Installed hooks can run code in response to OpenClaw events.
The docs describe executable hook scripts and hook installation. This is expected for OpenClaw hook documentation, but it is a sensitive capability if users install third-party hooks.
Hooks are small scripts that run when something happens ... Install them with: `openclaw hooks install <path-or-spec>`
Only install hooks from trusted sources, review handler code, and keep hook permissions and event triggers narrow.
If a user follows this setup, OpenClaw may receive Gmail message metadata and body snippets using the user’s authorized account.
The Gmail setup documentation involves authenticated Google/Gmail access and forwarding email content into OpenClaw. This is coherent for the documented integration but should be handled carefully.
`gcloud` installed and logged in ... `gog` installed and authorized for the Gmail account ... `--include-body` and `--max-bytes` control the body snippet sent to OpenClaw
Use the least-privileged accounts and tokens available, limit included email body size, and avoid logging sensitive raw payloads.