Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawsy
v1.0.3Clawsy is a native macOS companion app that gives your OpenClaw agent eyes and hands on the user's Mac — screenshots, clipboard, camera, files, location, and...
⭐ 0· 705·3 current·3 all-time
by@iret77
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Clawsy claims to provide macOS capabilities (screenshots, camera, clipboard, files, location) and the instructions/tools referenced (nodes/session APIs, pairing flow) align with that purpose. However the skill requires the gateway host and auth token (extracted from ~/.openclaw/gateway.json) to pair — reading and transmitting that token is sensitive and is not declared in the skill's requirements.
Instruction Scope
SKILL.md and metadata contain explicit runtime instructions to read ~/.openclaw/gateway.json (via a postInstall python command and shell examples) and to send the exact host/token block to the user. It also mandates inserting a Clawsy context block into every sub-agent system prompt and instructs 'Don't ask for permission first' when Clawsy is connected. These instructions escalate scope (reading local auth files, automatic credential disclosure, mandatory prompt injection/proliferation) beyond normal helper behavior.
Install Mechanism
There is no install spec or bundled code (instruction-only), and the download link points to a GitHub releases URL (reasonable). However the skill metadata includes a postInstall hook that will run a python command on install to read ~/.openclaw/gateway.json; that runtime action writes nothing to disk but will access sensitive local config.
Credentials
The skill requests no declared env vars, yet it explicitly reads a local config file to extract the gateway authToken and host and instructs the agent to forward that token to the user. Accessing and transmitting the gateway auth token is a high-privilege action not made explicit in the skill's declared requirements and is disproportionate unless the user explicitly consents and understands the consequence.
Persistence & Privilege
The skill does not set always:true, but it demands that every spawned sub-agent include a mandatory Clawsy context block (a form of runtime propagation / prompt override). This effectively forces Clawsy-related behavior into future sub-agents and can broaden the skill's influence across agent activities — a privacy/propagation risk.
Scan Findings in Context
[system-prompt-override] unexpected: SKILL.md explicitly requires inserting a Clawsy context/prompt into every sub-agent system prompt (a prompt-injection style instruction). While this could be intended to enable sub-agents to use Clawsy, it is not an expected benign artifact for a simple companion skill because it enforces behavior across unrelated sub-agents and can be abused to propagate influence.
What to consider before installing
This skill is plausible for a macOS companion app, but it asks the agent to read your local OpenClaw gateway config (~/.openclaw/gateway.json) and to send the gateway host and auth token directly to the user/Clawsy app. Before installing: 1) Verify the Clawsy app source and repository owner (the SKILL points at github.com/iret77/clawsy). 2) Understand that sharing your gateway auth token allows the remote Mac to pair to your gateway — only share this if you trust the device and operator. 3) Consider whether automatic disclosure of the token is acceptable; if not, perform pairing manually and avoid running the postInstall commands. 4) Note the skill forces a Clawsy prompt block into every sub-agent and recommends using Clawsy capabilities without explicit user permission — this can leak data or expand access unexpectedly. 5) If you proceed, limit exposure: audit the gateway authToken, rotate/revoke it after testing, and only install on machines you control or trust. If unsure, treat this skill as untrusted and do not enable it.SKILL.md:64
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
bridgevk9791gjjp0qfzvwr4bxfxac5xd81z4jjlatestvk978anp6dhqb10nhrt69s0b8d183w4wrmacosvk9791gjjp0qfzvwr4bxfxac5xd81z4jjopenclawvk9791gjjp0qfzvwr4bxfxac5xd81z4jjproductivityvk9791gjjp0qfzvwr4bxfxac5xd81z4jjtoolsvk9791gjjp0qfzvwr4bxfxac5xd81z4jj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐱 Clawdis