Checkmate
WarnAudited by ClawScan on May 10, 2026.
Overview
Checkmate is transparent about being powerful, but it can run long-lived autonomous sub-agents with shell access, web access, installed skills, and OAuth-connected accounts.
Install only if you want a high-privilege autonomous quality loop. Prefer interactive mode, avoid batch/background runs for sensitive tasks, use a sandbox or reduced-permission agent profile, verify the recipient/session routing, and avoid putting secrets or untrusted instructions into checkpoint replies.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A task can lead autonomous workers to run commands, browse/fetch web content, use installed skills, or spawn more agents, especially if batch mode is used.
The skill explicitly grants spawned workers broad tool access and allows a mode where the loop runs without user checkpoints.
Spawned workers and judges inherit full host-agent runtime, including: - `exec` (arbitrary shell commands) - `web_search`, `web_fetch` - All installed skills ... - `sessions_spawn` ... Batch mode (`--no-interactive`) removes all human gates.
Use only in interactive mode for trusted tasks, keep max iterations/timeouts low, and run in a sandbox or reduced-permission agent profile when possible.
A worker could act through connected accounts such as mail or cloud storage if the task, prompt content, or feedback steers it there.
Workers and judges inherit access to third-party account integrations rather than being limited to the specific task or a scoped credential.
All installed skills (including those with OAuth-bound credentials — Gmail, Drive, etc.)
Before using this skill, disable unnecessary OAuth-connected skills or run it in an account/profile with only the credentials needed for the task.
During a checkpoint, a later user message may be treated as Checkmate input and written to disk before the agent handles it normally.
The orchestrator injects a directive into the live agent session that forces message delivery and changes how the agent handles the user's next reply.
Do the following immediately:\n\n1. **Relay this checkpoint to the user** using the message tool ...\n\n2. **Bridge their reply**: ... immediately write their verbatim reply to `{workspace}/user-input.md` before doing anything else.Respond to Checkmate checkpoints deliberately, avoid sending unrelated or sensitive messages while a checkpoint is pending, and cancel/stop the run if you no longer want the bridge active.
A run may continue using compute, tools, and account integrations after the initial chat turn unless the user monitors or stops it.
The skill is designed to launch a background orchestration process that can keep spawning worker/judge sessions until completion or iteration limits.
Use `exec` with `background=true`. This runs for as long as needed.
Track the process/workspace, avoid `nohup` or unattended batch runs for sensitive work, and know how to stop the background process.
Private information in checkpoint replies may be stored in the workspace, and pasted third-party instructions could steer the loop.
Checkpoint replies are persisted and reused by the orchestrator, so sensitive or untrusted text can influence later high-privilege actions.
User-input bridging writes arbitrary content to disk. When you reply to a checkpoint, the main agent writes your reply verbatim to `user-input.md` in the workspace. The orchestrator reads it and acts on it.
Use a private workspace, avoid secrets in checkpoint replies, and do not paste untrusted third-party content as instructions.
If the wrong session UUID, channel, or recipient is supplied, checkpoint content could be sent to the wrong place or bridged through the wrong session.
The skill relies on session UUID lookup, live-session injection, and channel recipient IDs to route checkpoint messages.
`openclaw gateway call sessions.list` — resolve session UUID for turn injection ... `openclaw agent --session-id <UUID>` — inject checkpoint messages into the live session ... `openclaw message send` — fallback channel delivery
Verify the session UUID, channel, and recipient before starting, especially when multiple sessions or messaging channels are active.
Users may underestimate the runtime requirements and may have less provenance information for a high-privilege skill.
The registry metadata does not fully reflect the skill's documented need to run Python/OpenClaw scripts and does not provide a clear source or homepage.
Source: unknown; Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Review the included scripts before use, install only from a trusted registry/source, and confirm `openclaw` and Python are expected in your environment.