Openclaw Genie
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a documentation-only OpenClaw reference skill; it is coherent and not malicious, but it describes powerful OpenClaw setup options that users should enable carefully.
This skill appears safe to install as a reference skill. When following its OpenClaw documentation, review command blocks before running them, avoid unneeded daemon/background operation, grant only the credentials and platform scopes you need, keep sandboxing and approvals enabled, and be careful with memory indexing or remote provider settings for sensitive data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user copies these commands, they may execute remote installer code and create a persistent local OpenClaw service.
The documentation shows user-directed OpenClaw installation commands that run a remote script, install the latest package, and install a daemon. This is central to the OpenClaw setup purpose, but users should verify the source before running them.
curl -fsSL https://openclaw.ai/install.sh | bash ... npm install -g openclaw@latest ... openclaw onboard --install-daemon
Review the installer source, prefer pinned versions where practical, and only install the daemon if you want OpenClaw running persistently.
Misconfigured OpenClaw tools could allow an agent to run commands or affect local systems beyond a normal chat interaction.
The skill documents OpenClaw tool capabilities that can run shell commands on different hosts. This is expected for an OpenClaw tools reference, but it is high-impact if enabled without sandboxing or approvals.
## Exec Tool Runs shell commands with foreground/background execution. ... `host` | `sandbox` / `gateway` / `node`
Keep sandboxing and approval prompts enabled, use deny/allow lists, and avoid granting gateway or node execution unless you need it.
Connecting OpenClaw to messaging platforms can let the agent read messages, send messages, react, and handle files depending on the scopes granted.
The OpenClaw channel setup reference includes broad messaging and file permissions for integrations such as Slack. These permissions are purpose-aligned for messaging integrations but grant real account authority.
Scopes: `chat:write`, `channels:history`, `channels:read`, `groups:history`, `im:history`, `app_mentions:read`, `assistant:write`, `reactions:read/write`, `files:read/write`, `commands`, + more.
Use least-privilege app scopes, store tokens as secrets, and restrict channel access with allowlists or pairing policies.
If enabled broadly, OpenClaw memory search may persist or index private notes, transcripts, or other local Markdown content for later agent use.
The memory reference documents optional indexing of files outside the workspace and session transcripts. This is aligned with OpenClaw memory/search features but can involve private local content.
`extraPaths`: [], // index Markdown outside workspace ... `sessionMemory`: false, // index session transcripts
Keep `extraPaths` narrow, leave session transcript indexing off unless needed, and understand where embeddings and indexes are stored.
A user might over-assume that every OpenClaw configuration is local-only, even when enabling remote providers or third-party channels.
The privacy claim is broad. Other references document external model providers, messaging platforms, OAuth, and remote embedding/PDF processing options, so locality depends on configuration.
All data stays local.
Treat local-only operation as configuration-dependent; review model, embedding, PDF, browser, and channel settings before handling sensitive data.