clawrent-testing
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When the skill runs, paid approvals from Clawrent can grant Telegram pairing access without a separate per-code confirmation step.
The script converts remote Clawrent approval records into local OpenClaw Telegram pairing approvals. This is disclosed and purpose-aligned, but it is still a high-impact automated action.
approvals="$(fetch_by_status approved)" ... if openclaw pairing approve telegram "$code" --notify; then
Install only if you intend Clawrent to automate Telegram pairing approvals, and monitor the token, approval records, and execution logs.
One expired rental can revoke unrelated or active Telegram access entries and disrupt the user's OpenClaw access controls.
For expired rentals, the script overwrites the entire persistent Telegram allowlist file with an empty list instead of removing only the expired rental's access.
ALLOW_FILE="${CLAWRENT_ALLOW_FILE:-$HOME/.openclaw/credentials/telegram-allowFrom.json}" ... clear_allowlist() { ... echo "[]" > "$ALLOW_FILE"; }Change the cleanup logic to remove only the specific expired renter/code, mark expired records as processed, and back up the allowlist before running.