v1.0.0

Kilocode Model Sync

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:14 AM.

Analysis

This is a disclosed model-sync workflow, but it uses a Kilo API key, can update OpenClaw configuration, restart the gateway, and send Telegram/session messages, so only run it if those actions are intended.

GuidanceDo not run this deprecated skill unless you specifically need this Kilocode sync workflow. Before approving a patch, verify the generated model changes, confirm the Telegram recipient and approval source, and make sure you are comfortable with it modifying ~/.openclaw/openclaw.json and restarting the OpenClaw gateway.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

scripts/apply_patch.py

OPENCLAW_JSON.write_text(json.dumps(updated_config, indent=2)) ... subprocess.run([openclaw, "gateway", "restart"],

The apply script can overwrite the Kilocode model list in ~/.openclaw/openclaw.json and restart the OpenClaw gateway. This is high-impact but matches the stated purpose and includes backup behavior.

User impactApproving a patch can change which Kilocode models OpenClaw uses and briefly restart the local gateway.

RecommendationReview the generated patch before approval, confirm the backup path is created, and be prepared to restore the backup if the gateway behaves unexpectedly.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Requires KILOCODE_API_KEY in ~/.openclaw/.env.

The skill needs a local API credential to access the Kilo AI API. This is expected for the sync purpose, and the provided code does not show credential logging or unrelated transmission.

User impactInstalling users must provide or already have a Kilo API key available locally, which grants access to the Kilo model API.

RecommendationUse a narrowly scoped Kilo API key if available, keep ~/.openclaw/.env private, and verify the key is only needed for this sync task.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

Use the `message` tool with `channel=telegram`, target Guillaume's chat ... Grog will relay a `sessions_send` message ... containing either: `approve` — proceed to apply

The workflow sends results through Telegram and relies on an inter-agent sessions_send approval signal before applying changes. This is disclosed, but users should confirm the intended recipient and approval source.

User impactModel-sync details and local backup paths may be sent outside the local session, and an approval message can trigger configuration changes.

RecommendationConfirm the Telegram target is correct for your environment and require clear, intentional approval before applying any patch.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Append to `~/.openclaw/workspace/memory/YYYY-MM-DD.md`

The skill records sync outcomes in persistent workspace memory. The content appears limited to model-sync status, counts, backup paths, and approval notes.

User impactA local history of sync activity and file paths will persist after the task completes.

RecommendationAvoid adding secrets to these memory notes and delete old sync records if you do not want them retained.