Openclaw Spacesuit
Security checks across malware telemetry and agentic risk
Overview
This workspace framework is mostly coherent, but it gives the agent broad authority to search private files and credentials, persist and push memory, and open tunnels without clear user approval.
Install only if you want a highly opinionated workspace framework. Before using it, narrow the search and credential rules, decide whether memory files may be committed or pushed, and require explicit approval before reading secrets, scanning private folders, or starting public tunnels.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may inspect private cloud-synced files, dotfiles, prior sessions, or memory without a clear per-task approval boundary.
The skill instructs the agent to search broad local and synced private areas, not just the workspace, when trying to find information.
EXHAUST ALL OPTIONS before saying "not found": ... Cloud storage / synced drives ... Home config: `~/.config/`, dotfiles ... Sessions: Recent history, handoffs ... Memory: Semantic search
Limit search instructions to user-approved workspace paths by default and require explicit confirmation before searching home config, cloud storage, prior sessions, or other private locations.
The agent could access API keys, tokens, or other secrets beyond what a user expected this scaffold skill to use.
The skill directs the agent to search common credential stores broadly, while the registry declares no credential requirement or scoped credential contract.
When looking for API keys, tokens, or credentials: 1. Workspace `.envrc` ... 2. Workspace `.env` ... 3. Gateway config ... 4. Tool-specific config — `~/.config/{tool}/` ... 5. Environment variables — `env | grep -i {keyword}` ... ALWAYS check .envrc first.Declare any expected credential use, restrict lookup to named services needed for a task, and require user approval before reading secret-bearing files or environment variables.
Personal context may be stored long-term, reused by future sessions, and pushed outside the machine if the workspace has a git remote.
The framework creates persistent personal memory and encourages committing and pushing those notes, which can retain sensitive context and sync it to a remote repository.
You can **read, edit, and update** MEMORY.md freely in main sessions ... Write significant events, thoughts, decisions, opinions, lessons learned ... `git add memory/*.md && git commit -m "memory: $(date +%Y-%m-%d) notes" && git push`
Add explicit retention rules, review-before-write and review-before-push steps, and clear exclusions for sensitive personal data.
A local development service could be exposed through a tunnel and shared more broadly than intended.
The instruction encourages automatically opening and maintaining an externally reachable tunnel during web UI development without requiring explicit user approval.
When developing web UIs ... **Always start with tunnel** — `./start.sh --tunnel` or equivalent ... **Always share the link** ... **Keep it running**
Require explicit user confirmation before starting tunnels, document what will be exposed, and stop tunnels by default when work is complete.
Running the script can create a local index of people from prior Slack/session transcripts.
The utility script is purpose-aligned and user-invoked, but it reads local session transcripts and stores Slack operator identifiers and message counts.
Scans OpenClaw session transcripts and extracts unique users who have interacted with the bot. Outputs to state/operators.json.
Use `--dry-run` first, review `state/operators.json`, and avoid sharing that file if operator identities are private.
Running the installer changes the workspace root and adds executable scripts.
The setup script writes workspace files, creates directories, and copies executable utility scripts; this is expected for the scaffold but is still local code execution.
mkdir -p "$WORKSPACE/memory" ... mkdir -p "$WORKSPACE/scripts" ... cp "$script" "$target" ... chmod +x "$target" ... echo "$VERSION" > "$WORKSPACE/.spacesuit-version"
Review the generated files after install, run setup from the intended workspace only, and prefer dry-run or diff commands before upgrades.