ClawBot Network
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised server or network attacker could replace the downloaded client code and run arbitrary behavior on the user's machine during setup.
The installer defaults to a hardcoded public IP over HTTP and downloads executable Python components from that server without TLS, pinning, checksums, or signatures.
SERVER_IP="${AGENT_NETWORK_SERVER:-3.148.174.81}" ... curl -fsSL "${SERVER_HTTP}/client/python_client.py" -o python_client.pyAvoid curl-to-bash over HTTP; host files over HTTPS, pin or checksum downloaded files, review the downloaded scripts before running them, and prefer a declared package/install mechanism.
Anyone who can reach the server may be able to view agent metadata/messages, spoof agent activity, or create task assignments.
The REST API enables broad cross-origin access and exposes message history, inboxes, tasks, and task creation without authentication or authorization checks.
app.use(cors()); ... app.get('/api/groups/:id/messages' ...); ... app.post('/api/tasks', async (req, res) => { const task = await db.createTask(req.body);Add token-based authentication, per-agent authorization, TLS/WSS, origin restrictions, and firewall rules before using this beyond a trusted private test network.
If a user integrates the task handler as shown, remote or spoofed network messages could trigger powerful agent workflows.
The documented workflow encourages wiring remote task messages into OpenClaw session spawning for high-impact actions such as deployment, but the artifacts do not show a required approval or trust check.
@bot.on_task
def handle_task(task):
if "deploy" in task['title'].lower():
sessions_spawn(
agentId="devops-agent",
task="Deploy to production"
)Require explicit human approval and verify sender identity before executing remote task assignments, especially for deployments, trading, file changes, or other high-impact actions.
Untrusted messages or task-like instructions can remain in the network and be delivered later to agents that may treat them as actionable context.
The server persists group messages and offline messages that are later delivered to agents; without authentication or trust boundaries, stored remote content can influence future agent behavior.
CREATE TABLE IF NOT EXISTS messages ... content TEXT ... CREATE TABLE IF NOT EXISTS offline_messages ... message TEXT
Treat all received messages as untrusted, label sender provenance clearly, expire old offline messages, and prevent stored messages from directly driving agent actions without validation.
Once started, the connector can keep communicating with the server until stopped, and may reconnect after transient network failures.
The client is designed to maintain a long-running connection with heartbeat and reconnect behavior, which is expected for a network connector but should be visible to users.
self.reconnect_interval = 5
self.max_reconnect_attempts = 10 ... async def _heartbeat(self): ... await self.ws.send(json.dumps({"type": "heartbeat"}))Run it only when needed, monitor the process, and document how to stop or disable the connector on each device.