Skillv1.1.0

ClawScan security

Agent Council · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 3:53 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (creating agents and managing Discord channels) but contains several inconsistencies and privileged operations (reading/modifying gateway config, extracting a Discord bot token from local config, creating autonomous cron jobs) that are not declared in the registry metadata and deserve review before installing.
Guidance: What to check before installing or running this skill: - Review and backup your OpenClaw gateway configuration. The scripts will read and patch gateway config and may cause a restart. - Confirm you are willing to let the skill read your OpenClaw config (it will extract the Discord bot token from it). That token allows managing channels in your Discord guild; only proceed if you trust the source. - Audit the included scripts locally before running. They will create files under the provided workspace path, may search and modify workspace Markdown files, and can create scheduled cron jobs that run agent sessions autonomously. - If you only want to inspect behavior, run the scripts in a safe environment (clone into a sandbox, set OpenClaw CLI to a test config, or mock the Discord token) and exercise a dry-run path where possible. - Verify developer provenance: no homepage and anonymous owner in registry metadata are weaker signals; prefer skills with a verifiable repo and author. - Consider restricting the Discord bot permissions to the minimal set needed (and remove unnecessary global privileges), and rotate the bot token if you test with production credentials. If you want to proceed, test on a staging system first and avoid running the cron setup step until you are comfortable with the agent behavior. If you want, I can list the exact lines that read config and call external APIs so you can audit those parts specifically.
Findings: [system-prompt-override] expected: The skill intentionally manipulates 'systemPrompt' values in the gateway configuration (to set channel-specific prompts), so detecting a 'system-prompt-override' pattern is expected. However such behavior can be used to change agent/system behavior and was flagged as a prompt-injection pattern; treat systemPrompt updates as sensitive because they can alter agent instructions.

Review Dimensions

Purpose & Capability: noteThe scripts' actions (create agent workspaces, write SOUL.md/HEARTBEAT.md, patch gateway config, call OpenClaw CLI, and call the Discord API) are coherent with the skill's stated purpose. However the registry metadata declares no required credentials or config access while the code expects to read OpenClaw configuration (including a Discord bot token) and to modify the gateway configuration — sensitive privileges that should have been declared.
Instruction Scope: concernSKILL.md instructs running scripts that (a) call the OpenClaw CLI to read/write gateway/config, (b) extract the Discord bot token from that config, (c) call Discord's API to create/rename channels, and (d) optionally search and modify workspace files. These actions go beyond mere file generation: they read potentially sensitive configuration, modify global gateway state, restart the gateway, and can create scheduled autonomous cron jobs. The SKILL.md does not clearly enumerate these sensitive side-effects for the user.
Install Mechanism: okThis is an instruction-only skill (no install spec). Files are included with the skill; there is no network download/install step. That lowers supply-chain risk. The scripts assume the OpenClaw CLI and Python are present on the host.
Credentials: concernThe skill registry lists no required environment variables or primary credential, but the scripts expect and read OpenClaw configuration that contains a Discord bot token (used to call Discord APIs). Access to that token is sensitive and not declared. The skill also will write gateway config and may restart the gateway — granting broad effect on other agents and channels. Creating cron jobs that run agent sessions is also a form of privileged access not called out in the metadata.
Persistence & Privilege: notealways:false (good). However the skill can create scheduled cron jobs via openclaw cron add that cause autonomous agent actions and can automatically patch gateway config and trigger a restart. These are persistent system-level changes (config and scheduled jobs) and increase blast radius; the skill modifies global OpenClaw gateway settings rather than staying confined to a benign local folder.