ClawHub

Motion

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a clearly disclosed Motion integration through ClawLink, but using it requires trusting the ClawLink plugin/service with access to Motion data and approved task changes.

Before installing, verify that you trust the ClawLink plugin and service, connect only the intended Motion account, and carefully review any preview before approving task, assignment, due-date, or bulk schedule changes.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The user must trust the ClawLink plugin and its source because the plugin will provide the actual tools used to access Motion.

Why it was flagged

The skill itself has no code, but it depends on a separate plugin installation that is outside this artifact set.

Skill content
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Recommendation

Install the plugin only from the stated trusted registry/source and review ClawLink’s verification and documentation before connecting accounts.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Pairing ClawLink and connecting Motion allows OpenClaw via ClawLink to access the connected Motion account within the approved permissions.

Why it was flagged

The skill discloses persistent delegated authentication through ClawLink, which is expected for the integration but grants ongoing access authority.

Skill content
The resulting device credential is stored locally in OpenClaw's plugin config and is only sent to `claw-link.dev`.
Recommendation

Connect only the intended Motion account, review the permissions during setup, and do not paste raw credentials into chat.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Approved tool calls could modify tasks, due dates, assignments, or statuses in Motion.

Why it was flagged

The skill can trigger Motion write actions, including task and schedule changes, but it explicitly requires confirmation for sensitive or bulk changes.

Skill content
Create or update tasks after confirmation ... Confirm before changing assignments, due dates, or task status in bulk
Recommendation

Review previews carefully and confirm only changes you actually want, especially for bulk or schedule-sensitive updates.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Motion data and tool requests may pass through ClawLink as part of the connected integration workflow.

Why it was flagged

Motion access is mediated by a third-party integration hub, creating an external trust boundary for credentials, tool discovery, and data exchange.

Skill content
Powered by [ClawLink](https://claw-link.dev), an integration hub for OpenClaw that handles hosted connection flows and credentials
Recommendation

Use this skill only if you trust ClawLink’s service and are comfortable routing Motion integration activity through it.