Setup
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only setup guide with no hidden code, but it documents powerful options such as unrestricted commands, persistent automation, credentials, and memory/email indexing that users should enable deliberately.
Use this skill as a reference, not as a config to copy wholesale. Before installing or applying its examples, decide whether you really need full exec, all tools, browser automation, daemon/heartbeat/cron, remote gateway access, Gmail body processing, or memory/session indexing. Prefer allowlists, sandboxing, token auth, env-var secrets, local/private memory options, and OpenClaw doctor checks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied without care, the agent could be allowed to run arbitrary local commands or use broad tools on the user's machine.
The guide includes recommended configurations that can enable all tools and unrestricted command execution. This is disclosed and purpose-aligned for personal/developer setups, but it is high-impact.
"tools": { "profile": "full", "exec": { "security": "full" } }Prefer allowlisted exec, sandbox mode, and per-user allowlists unless you intentionally want full local control.
OpenClaw may continue running as a background service after setup, especially when combined with heartbeat or cron options.
The setup checklist directs the user to install the OpenClaw daemon. This is an expected setup step, but it creates persistent background capability.
openclaw onboard --install-daemon # Full wizard
Install the daemon only if you want persistent operation, and review heartbeat/cron settings after onboarding.
Private notes or past conversations could be embedded, searched, and reused in future agent context if these options are enabled.
The memory guidance can index long-term memory files, past sessions, and local notes for later retrieval. This is expected for memory search, but it can include private or stale content.
"sources": ["memory", "sessions"] ... "paths": [{ "path": "~/notes", "pattern": "**/*.md" }]Limit indexed paths and sources, disable session indexing or auto-capture when not needed, and consider local embeddings for sensitive data.
Email or webhook content could influence agent behavior or be sent to a configured model provider if enabled.
The automation examples can route external email content into model processing. This is disclosed integration behavior, but email bodies may contain sensitive or untrusted content.
"gmail": { "account": "your@gmail.com", "label": "INBOX", "includeBody": true, "maxBytes": 50000, "model": "anthropic/claude-haiku" }Use webhook tokens, restrict labels/sources, keep body limits low, and treat inbound email or webhook text as untrusted.
A misconfigured token or broad allowlist could give unintended users access to the bot or connected accounts.
Channel setup requires bot or app credentials and user allowlists. This is expected for messaging integrations and the security guide recommends allowlists and env vars.
"botToken": "YOUR_BOT_TOKEN" ... "allowFrom": ["YOUR_USER_ID"]
Store secrets in environment variables, use least-privilege tokens, and keep allowlists limited to trusted user IDs.