Back to skill
Skillv2.0.0
ClawScan security
Ai Collab · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 27, 2026, 10:33 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior (background daemons, Telegram bridge, OpenAI/claude usage, and many required env vars/binaries) is coherent with a multi-agent collab tool but the package metadata does not declare the many required environment variables or binaries and the runtime instructions encourage autonomous, always-on behavior — this inconsistency and the potential for network-triggered autonomous actions warrant caution.
- Guidance
- This skill contains multiple shell scripts and a detailed runbook that will create long‑running daemons, integrate with Telegram, and may call either a local 'claude' CLI or the OpenAI API. Before installing or running: 1) Review every script line-by-line (particularly daemon.sh, telegram bridge, and any python snippets) and confirm you trust the model CLIs (claude, openclaw) being invoked. 2) Do not copy your API keys or bot tokens into ~/.openclaw/.env until you've audited the code; prefer testing in an isolated VM/container and restrict network access. 3) Be cautious enabling the Telegram bridge — only whitelist trusted user IDs and understand that group messages can trigger autonomous actions. 4) Add required binaries and sensitive env vars to the skill metadata or checklist yourself so you know what will be used. 5) If you want lower risk, avoid running the Telegram bridge and the cron/inotify daemons; instead do manual sandboxed tests. The main red flags are the missing declared env/binary requirements and the explicit instructions to operate autonomously without permission.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to be a multi-agent collaboration system, which matches the included scripts and docs, but the registry metadata lists no required env vars or binaries while SKILL.md and the scripts clearly require many environment variables and external binaries (claude CLI, openclaw CLI, tmux, inotifywait, curl, python3). The omission of these requirements in metadata is an incoherence: a legitimate multi-agent skill should declare the secrets and runtime deps it needs.
- Instruction Scope
- concernSKILL.md tells operators to run daemons, start tmux sessions, create cron jobs, route Telegram messages into an inbox, and optionally call OpenAI APIs — all of which grant the skill ongoing access to filesystem, network, and the ability to act on external triggers. It also contains a system-prompt ('Jim Workflow') that instructs agents to 'never ask permission' and proceed autonomously. The instructions therefore go beyond a simple helper and direct broad autonomous behavior and network interactions.
- Install Mechanism
- okThere is no install spec (instruction-only install), and the included code files are plain shell/Python snippets. That lowers automatic install risk because nothing is downloaded during install. However the code will be placed in the skill directory and the user is expected to run the scripts; the lack of an automated install does not remove runtime risk.
- Credentials
- concernMetadata declares no required env vars, but SKILL.md and examples expect many sensitive values: OPENAI_API_KEY (optional GPT path), TELEGRAM_BOT_TOKEN, TELEGRAM_GROUP_ID, TELEGRAM_USER_ID, AGENT_A_NAME, AGENT_B_NAME, AGENT_B_MODEL, AGENT_B_SESSION, COLLAB_INBOX, COLLAB_LOG, etc. Requiring messaging tokens and API keys is reasonable for the described features, but the omission from the declared requirements is an inconsistency and increases the chance a user will unknowingly expose secrets. The skill expects storing secrets in ~/.openclaw/.env and reading them at runtime — verify file protections and trust the code before adding secrets.
- Persistence & Privilege
- concernThe skill's runtime promotes long‑running daemons (tmux sessions, cron polling, inotify watchers) and a Telegram bridge that can trigger autonomous responses. While always:false and model invocation is allowed (platform default), the provided system prompts and workflow explicitly encourage autonomous action without asking for permission — combined with persistent daemons and network triggers, this increases the operational blast radius and warrants caution.