Warp Oz
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: oz Version: 1.1.0 The 'oz' skill bundle provides a Bash wrapper (oz-api.sh) and a Python orchestrator (orchestrator.py) for managing Warp Oz cloud agent pipelines. The scripts demonstrate security-conscious design by supporting 1Password for credential management and passing API keys via stdin to curl to prevent exposure in process logs. All functionality, including the agent role definitions in references/agent-roles.md, is consistent with the stated purpose of cloud-based task orchestration and lacks any indicators of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill with your token can start and manage Warp Oz agent work within the token's permissions.
The skill requires a Warp API key to act against the user's Warp Oz account. This is expected for the integration, but it is delegated account authority.
"env": ["WARP_API_KEY"] ... "Warp Oz API Bearer token (wk-*). Get from app.warp.dev → Settings → API Keys."
Use a dedicated or least-privileged Warp API key if available, keep it out of chat logs, and revoke it if you no longer need the skill.
A broad or mistaken prompt could launch unwanted cloud work, affect repository workflows, or consume account resources.
The wrapper exposes broad API operations for cloud agents. This is the skill's advertised purpose, but those operations can create, cancel, inspect, and manage cloud coding runs.
`oz-api.sh` — bash wrapper covering every Oz API endpoint (runs, polls, schedules, artifacts, agents)
Review the exact command, environment ID, prompt, and target skill before running agent jobs, especially for repository-changing work.
Scheduled agents may run later, potentially consuming resources or changing repository state if the schedule is left enabled.
The script can create enabled cron schedules for agents. This is documented and user-invoked, but it creates activity that can continue after the initial chat.
cmd_schedule_create() ... local prompt="" cron="" env_id="" name="" base_prompt="" enabled="true" ... api_call_verbose POST "/agent/schedules" -d "$json"
Create schedules only intentionally, use clear names, review schedule lists periodically, and pause or delete schedules that are no longer needed.
Incorrect, sensitive, or adversarial content from one stage could be reused by later stages or carried through a shared sandbox.
The orchestrator forwards one stage's status message and session link into the next stage's prompt. This is expected for multi-agent pipelines, but prior agent output can influence later agents.
Summary: {prev.status_message}\nSession: {prev.session_link}\n\nContinue the work.Inspect intermediate results for sensitive or suspicious content, and use isolated conversations when appropriate, such as the documented `--no-conversation` option.