Skillv1.0.0

ClawScan security

Star Office UI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 4:07 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what its name/description say (a local pixel-office web UI), but several implementation choices are unexpected or disproportionate (reading a memory folder outside the project root, hard-coded absolute paths, baked-in join keys, and helper scripts that assume /root/.openclaw or a .venv), so review and containment are recommended before running it on important hosts.
Guidance: High-level takeaways and recommended precautions before running: - Behavior summary: This repo runs a local Flask backend and a static frontend to show a pixel office dashboard. It supports inviting remote agents (join/agent-push) and will read a 'memory' file for the "yesterday memo" feature. - Main concerns to review before running: 1) Memory directory reads outside the repo: backend/app.py sets MEMORY_DIR to the folder one level above the project root (../memory). That means the service will open files outside the cloned repo if they exist. If you don't control that parent folder, sensitive files could be read. Put the project in an isolated directory or ensure ../memory is empty/controlled. 2) Hard-coded absolute paths and environment assumptions: convert_to_webp.py uses /root/.openclaw/workspace/frontend as the FRONTEND_DIR and backend/run.sh expects a .venv path. These scripts may fail or unexpectedly touch host paths if run as-is. Inspect and edit these paths or run in a container/VM. 3) Built-in join keys and public access: the repository includes join-keys.json and documentation describing reusable join keys. If you publish this service to the Internet (via Cloudflare Tunnel or reverse proxy) those keys control who can join and push state. Rotate or remove demo keys and add authentication if you intend to make it public. 4) Run in isolation: because the service listens on HTTP and accepts remote agent pushes, run it in a sandbox (container, VM, or throwaway machine) when testing. Avoid running as root and avoid exposing it to the public internet until you harden join/auth. 5) Inspect network logic before inviting others: review office-agent-push.py and any other scripts that perform HTTP requests to understand what data is transmitted, how agent IDs are handled, and whether any unexpected endpoints are contacted. 6) Art asset/licensing: README and docs declare art assets are non-commercial; respect those constraints if you redistribute. - What would change this assessment: If you provide a modified version where MEMORY_DIR is inside the project, absolute /root paths are removed, join keys are not baked-in (or are randomized/require explicit configuration), and office-agent-push.py/network behavior is restricted/credentialed, the concerns reduce and the skill would be coherent for benign use. Conversely, if additional files show exfiltration or the agent-push scripts phone home to unknown servers, the verdict should be upgraded to malicious. If you want, I can: (a) point to exact lines in files that set MEMORY_DIR and the /root path, (b) summarise office-agent-push.py network behavior, or (c) propose minimal edits to make the repo safer to run locally.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md match the described purpose: a multi-agent pixel office UI with endpoints for join/agent-push, a local backend (Flask), and a frontend. However there are oddities that are not necessary for a simple local demo: (1) convert_to_webp.py contains an absolute FRONTEND_DIR path (/root/.openclaw/workspace/...), (2) backend.run.sh expects a .venv path, and (3) the repo includes join-keys.json (fixed join keys) which the service relies on. These are plausible developer artifacts but are not strictly required by the user-facing feature and warrant caution.
Instruction Scope: concernSKILL.md tells the agent to git clone the repo and run the backend, plus to put 'memory/YYYY-MM-DD.md' in the parent directory so the backend will read it. The backend intentionally looks for a memory directory one level above the project root (MEMORY_DIR = ../memory). That means the service will read files outside the checked-out repo if present — a scope expansion that could access host data the user didn't expect. The instructions also recommend opening a Cloudflare Tunnel and include guidance to invite other agents (office-agent-push.py) — which is expected for a public demo but increases exposure. Overall the runtime instructions are functional but instruct the service to read a path outside the repo and to accept remote agent pushes, which should be considered before deployment.
Install Mechanism: okNo install spec is declared (instruction-only). SKILL.md instructs cloning a public GitHub repo and pip-installing backend/requirements.txt (flask). This is a common, low-risk pattern compared to remote binary downloads. No remote archive/extract URLs or obscure installers are used in the provided files.
Credentials: noteThe skill declares no required environment variables or credentials, which matches its simple backend/frontend purpose. Despite that, several files contain hard-coded absolute paths (e.g., convert_to_webp.py uses /root/.openclaw/workspace), and run.sh expects a .venv under the project root; these are disproportionate to the stated function and could cause the scripts to access unexpected locations or fail. join-keys.json baked into the repo provides reusable join keys; if the server is made publicly reachable, those keys control who can join and should be rotated/removed for production.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated platform privileges. It writes/reads local state files (state.json, agents-state.json, join-keys.json) inside the project and a memory folder one level up — normal for an application of this type but another reason to run it in an isolated environment. It does not modify other skills or global agent settings.