Clawsy
WarnAudited by ClawScan on May 10, 2026.
Overview
Clawsy is purpose-aligned as a Mac companion app, but it requests very broad Mac access, exposes the OpenClaw gateway token, encourages use without asking permission, and relies on an unreviewed native app install flow.
Install only if you fully trust the Clawsy native macOS app and are comfortable giving your agent access to screen, camera, clipboard, files, and location. Verify the GitHub release, avoid sharing the gateway token in untrusted channels, prefer scoped/revokable pairing, and require the agent to ask before using sensitive Mac capabilities.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future delegated agents may inherit Clawsy access and reporting behavior even when the user did not ask for Mac-control features.
The skill instructs the agent to make Clawsy instructions authoritative for all delegated agents, including future ones, rather than limiting them to user-requested Clawsy tasks.
Copy this verbatim into every sub-agent system prompt... This applies to all sub-agents — current and future.
Only pass Clawsy context to sub-agents when the user explicitly requests Clawsy use, and avoid placing skill text into system prompts.
The agent may capture screen or camera data, read or write the clipboard, access location, or mutate files without a fresh user confirmation.
This instruction applies to sensitive commands listed in the same file, including screenshots, camera, clipboard, file operations, deletion, and location.
**Rule:** If Clawsy is connected and it improves UX — use it. Don't ask for permission first.
Require explicit user consent for screen, camera, clipboard, location, and file mutation actions; require confirmation for delete, batch, or public-impact actions.
Anyone who sees or receives the setup token may be able to connect to the user's OpenClaw gateway or authorize a powerful Mac companion integration.
The skill instructs the agent to read the OpenClaw gateway auth token from local configuration and send the actual token as setup material.
read them manually: cat ~/.openclaw/gateway.json ... print('token:', c.get('authToken','')) ... Replace the placeholders with the real values. Do not send placeholders.Use a short-lived, scoped pairing code instead of the full gateway token, declare this credential requirement in metadata, and give users clear revocation instructions.
The installed native app could differ from what the skill reviewer saw, especially if the latest release changes.
The skill depends on an external latest-release native app that is outside the reviewed skill artifacts and is not pinned by version or checksum.
Download Clawsy (free, macOS 14+): https://github.com/iret77/clawsy/releases/latest
Pin a specific release, publish checksums/signatures, link the registry source to the reviewed repository, and document the exact app provenance.
The user may bypass macOS safety prompts for an app that can access sensitive device features.
The setup instructions tell the user to run a downloaded native app and remove macOS quarantine attributes.
Unzip, drag to /Applications, run `xattr -cr /Applications/Clawsy.app`, launch.
Prefer a signed and notarized installer that does not require quarantine removal, and tell users to verify the release before launching.
Screenshots, clipboard contents, and user-sent text may persist outside the main chat and be reused by the agent.
The companion stores sensitive context such as clipboard text and screenshots in a service session/workspace cache, though it documents a bounded ring buffer and TTL.
clipboard... screenshots... quickSend... ring buffer (max 20 items, 24h TTL). Screenshots are saved as files in the `clawsy-cache/` directory.
Make retention and deletion controls clear, avoid storing sensitive screenshots or clipboard data unless needed, and let users clear the cache easily.
If a pairing link or token is exposed, a device connection could be approved with less user oversight.
Automatic approval of a device pairing reduces the user review step for a channel that can send screenshots, clipboard data, files, and telemetry.
The auto-approve watcher approves the pairing — no further action needed!
Require manual approval with clear device identity, origin, requested capabilities, and a visible revoke option.