New Agent
v2.1.0Create new OpenClaw agents and connect them to messaging channels (Telegram, Discord, Slack, Feishu, WhatsApp, Signal, Google Chat). Supports single and batc...
⭐ 0· 124·0 current·0 all-time
byfocusailab@joansongjr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, README, and the two scripts all focus on creating agent workspaces, registering agents via the openclaw CLI, and writing channel credentials into the gateway config (openclaw.json). The requested/used resources (workspace dir, openclaw.json, optional OPENCLAW_STATE_DIR) are consistent with that purpose.
Instruction Scope
The runtime instructions and scripts create workspace files, call the local 'openclaw' CLI, back up and read/write the gateway config (~/.openclaw/openclaw.json by default), and restart the gateway. This is within scope but noteworthy: the scripts will store provided channel credentials (bot tokens, app secrets, service-account info) in the top-level config and add agents to tools.agentToAgent.allow, which persists sensitive data and changes routing/agent-communication policy.
Install Mechanism
No external install or network downloads; this is an instruction-only skill with included shell/Python scripts that run locally. There are no URL downloads, package installs, or archive extraction steps in the provided files.
Credentials
The skill declares no required env vars. The scripts optionally respect OPENCLAW_STATE_DIR and otherwise operate on the user's OpenClaw state directory. They will ingest tokens/appSecrets provided in a manifest or via interactive login and write them into openclaw.json — this is expected, but it means you must supply channel credentials and accept they will be persisted in the gateway config.
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. It modifies the gateway's own config (openclaw.json) and adds agents to agentToAgent.allow, which is consistent with its function and not an unexplained privilege escalation.
Assessment
This skill appears to do what it says, but review and use cautiously: 1) Inspect the manifest you pass to batch-setup.sh — it contains bot tokens/app secrets. Keep that file private and delete it when done. 2) The scripts will write those credentials into your openclaw.json and create backup copies; do not commit openclaw.json or backups to source control. 3) The scripts add agents to tools.agentToAgent.allow (enables agent-to-agent messaging) — verify you want that for security/isolation reasons. 4) Only run these scripts on a trusted machine where you control the OpenClaw gateway; consider testing with a small dry-run or a non-production gateway first. 5) Confirm the source of the skill (homepage is empty) before cloning/installing from unknown remotes; review the repository if installing from GitHub. Finally, ensure the manifest includes actual credentials (the scripts insert MISSING_* placeholders if fields are absent) and keep manifests/configs protected.Like a lobster shell, security has layers — review code before you run it.
latestvk973t0eyfxnqe8j0ewak1kvx9n83h92p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.