Skillv1.1.1

ClawScan security

Agency Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 5:56 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only skill that bundles many agent persona documents and usage instructions; it contains no code, install steps, or required credentials and is consistent with its stated purpose, but be cautious about runtime integrations that may request secrets.
Guidance: This package is an instruction-only collection of 49 agent personas and an orchestrator; it appears coherent with its description and contains no code or install steps. Before installing or using it: (1) verify the publisher/source (no official homepage listed); (2) be prepared that some agents (report distribution, CRM/sales extraction, cloud/DevOps agents, app-store/monitoring agents) will require you to provide third‑party credentials if you want them to integrate with external services — only provide minimal, scoped credentials and consider using throwaway/test accounts or read-only tokens; (3) test single-agent tasks first (avoid enabling large orchestrations) and review any prompts before granting access; (4) if you need stronger assurance, request the repository/source URL or a signed release and inspect any runtime code before granting secrets. If you want, I can point out which individual agent markdowns explicitly reference external integrations so you know where credentials are likely to be requested.

Review Dimensions

Purpose & Capability: okThe name/description (AI agent team / 49 agents) match the provided files: many agent persona markdowns, README, QUICKSTART and an orchestrator SKILL.md. There are no unrelated required binaries, credentials, or install steps declared that would conflict with the stated purpose.
Instruction Scope: noteThe SKILL.md runtime instructions are limited to CLI usage examples (/openclaw skill use ...) and provide output/templates. They do not direct the agent to read arbitrary system files or exfiltrate data. However many agent persona docs describe integrations (CRM, cloud providers, email/Slack/WeChat, app stores) that would realistically require runtime credentials or access to external systems — the skill does not declare or require these, so those integrations would be performed only if the user supplies credentials or the agent requests them at runtime.
Install Mechanism: okNo install spec and no code files that are executable are present; the skill is instruction-only. That keeps disk/network install risk low. package.json and markdown files exist but there is no install hook that would download or execute remote code.
Credentials: noteThe skill declares no required environment variables or primary credential. SKILL.md shows optional configuration examples (AGENCY_AGENTS_DEFAULT_DEPARTMENT, AGENCY_AGENTS_QA_LEVEL, etc.). Several agents describe workflows that in practice need third‑party credentials (cloud, CRM, messaging, app stores). This is not an immediate red flag, but users should expect that using certain agents or orchestration flows may prompt them to provide secrets; those will not be auto-collected by the skill as packaged.
Persistence & Privilege: okalways is false and there is no install-time persistence. disable-model-invocation is false (normal), meaning the agent could invoke the skill autonomously if permitted by the platform. That autonomy is the platform default and not by itself suspicious, but combined with user-supplied credentials (for integrations) it increases potential blast radius — consider limiting access scopes when you provide secrets.