clawrent-testing
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Clawrent purpose, but its expired-rental cleanup can wipe the entire local Telegram allowlist instead of only the expired renter.
Use this only if you trust Clawrent to grant Telegram pairing access automatically. Before installing, review or fix the expiration cleanup so it removes only the intended expired rental, protect CLAWRENT_TOKEN, and consider backing up the Telegram allowlist.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When the skill runs, paid approvals from Clawrent can grant Telegram pairing access without a separate per-code confirmation step.
The script converts remote Clawrent approval records into local OpenClaw Telegram pairing approvals. This is disclosed and purpose-aligned, but it is still a high-impact automated action.
approvals="$(fetch_by_status approved)" ... if openclaw pairing approve telegram "$code" --notify; then
Install only if you intend Clawrent to automate Telegram pairing approvals, and monitor the token, approval records, and execution logs.
One expired rental can revoke unrelated or active Telegram access entries and disrupt the user's OpenClaw access controls.
For expired rentals, the script overwrites the entire persistent Telegram allowlist file with an empty list instead of removing only the expired rental's access.
ALLOW_FILE="${CLAWRENT_ALLOW_FILE:-$HOME/.openclaw/credentials/telegram-allowFrom.json}" ... clear_allowlist() { ... echo "[]" > "$ALLOW_FILE"; }Change the cleanup logic to remove only the specific expired renter/code, mark expired records as processed, and back up the allowlist before running.