Proactive Claw Integrations
Security checks across malware telemetry and agentic risk
Overview
The artifacts match the advertised optional integrations, but users should enable them deliberately because they can use authenticated accounts, cache calendar context, and install a background scheduler.
This add-on appears coherent and disclosed, but it is meant for users who want networked and background Proactive Claw features. Enable only the integrations you need, review account/token scopes, and run the daemon installer only if you want recurring background automation.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user runs this installer, Proactive Claw workflows can continue running in the background after the current session.
The script can install and start a user-level background scheduler that runs the Proactive Claw daemon every 15 minutes.
<key>StartInterval</key>\n <integer>900</integer> ... launchctl load "$PLIST" ... systemctl --user enable --now openclaw-proactive-claw.timer
Run the daemon installer only if you want periodic background automation, and keep the provided stop commands handy.
The skill may read account-linked metadata such as PRs, issues, Notion page titles, and calendar events when those integrations are enabled.
The integrations rely on authenticated accounts or tokens for GitHub, Notion, calendar access, and optional ClawHub credential provisioning.
GitHub via `gh` CLI ... Notion API search ... Reads calendars shared with the authenticated account ... Optional `credentials.json` fetch from `https://clawhub.ai`
Use least-privileged accounts/tokens where possible and enable only the integrations you actually need.
Calendar context for registered team members can remain on disk and be reused by the skill.
Team calendar event titles and timing information are stored in a persistent local database for later coordination.
DB_FILE = SKILL_DIR / "memory.db" ... CREATE TABLE IF NOT EXISTS team_events (... event_title TEXT ... event_start TEXT ...)
Add only team members whose calendar use is appropriate, remove members when no longer needed, and protect the OpenClaw workspace directory.
Users who choose this path depend on a remote service for the OAuth client file.
The optional helper can fetch a Google OAuth client definition from ClawHub, but it requires explicit opt-in and SHA-256 pin verification before writing the file.
Endpoint: https://clawhub.ai/api/oauth/google-calendar-credentials ... clawhub_credentials_sha256 ... Refusing to download unpinned remote credentials.
Prefer manual credential setup if you do not want remote provisioning; if using this helper, verify the SHA-256 pin source before running it.