v1.0.11

Infinite Oracle

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:05 AM.

Analysis

This skill openly aims to run a persistent autonomous worker agent, but that creates lasting control, credential, memory, and external-sync risks that should be reviewed before installation.

GuidanceInstall this only if you intentionally want a long-running autonomous worker. Before starting it, sandbox the worker, use a low-privilege OpenClaw profile, set API budget limits, review SOUL.md and AGENTS.md, avoid sharing sensitive codes or secrets through Feishu/Lark, and make sure you know how to stop and clean up the background loop.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityHighConfidenceHighStatusConcern

README_EN.md

The Manager will run the Bash commands, build the Worker, inject the persona, and start the `nohup` background process.

This shows that creating and running a persistent background worker is part of normal operation, not merely documentation or a one-time setup step.

User impactA worker agent may keep running after setup, spend API credits, create artifacts, and continue pursuing objectives unless the user actively monitors or stops it.

RecommendationInstall only with a dedicated sandbox, explicit stop/restart procedure, API spend limits, and regular review of the worker process and logs.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

peco_loop.py

10) Autonomy-first rule: when a choice can be made safely with available tools/resources, decide and execute directly without asking human.

The runtime prompt tells the worker to act without asking the human when it judges an action safe, but the artifacts do not clearly define approval boundaries for sensitive tools or environments.

User impactThe worker may run commands, change files, call APIs, or otherwise act through available tools without per-action confirmation.

RecommendationRestrict the worker's tools and permissions, require explicit approval for destructive/account/external actions, and run it in a least-privilege environment.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

README_EN.md

Download the repo at git@github.com:KepanWang/openclaw-infinite-oracle.git, install SKILL.md as the infinite-oracle skill, and place peco_loop.py in the working directory.

The documentation includes a user-directed install path from an unpinned remote repository, so a user following it could install code that differs from the reviewed package.

User impactA later change to the repository could alter what gets installed if the user follows the one-shot prompt or manual clone instructions.

RecommendationPrefer the reviewed ClawHub artifact or pin a specific commit and verify the files before copying them into the OpenClaw directory.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

peco_loop.py

GATEWAY_CONFIG_CANDIDATES = (
    Path("/root/.openclaw/openclaw.json"),
    Path.home() / ".openclaw" / "openclaw.json",
)

The loop is designed to locate local OpenClaw configuration, including a root-owned path, which can carry account/session authority for the local gateway.

User impactIf run with a powerful OpenClaw profile, the worker may inherit broad account or workspace permissions.

RecommendationUse a separate low-privilege OpenClaw profile for the worker, avoid running it as root, and check what credentials or gateway authority the config file grants.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

this desire will be written into `SOUL.md` and reinforced during the PLAN phase

The skill deliberately stores a durable instruction/motive and re-injects it into future planning, which can influence later behavior beyond the immediate install request.

User impactPersistent worker instructions could bias future tasks, survive across sessions, or make the agent continue optimizing for a broad motive instead of a narrowly scoped user request.

RecommendationReview and edit SOUL.md and AGENTS.md before starting the loop, keep the desire narrowly scoped, and reset or remove the files when the task is over.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

README_EN.md

The Worker streams its progress and Human Tasks directly to the spreadsheet. You can just check a "Resolved" box and type a code on your phone, and the Worker automatically syncs it back.

The skill can move human task data, including verification codes, through an external Feishu/Lark spreadsheet and back into the worker loop.

User impactSensitive human-in-the-loop data such as OTPs, account blockers, or approvals may be stored in and shared through a third-party table.

RecommendationDo not put passwords, long-lived secrets, banking details, or reusable recovery codes into the table; keep the Feishu/Lark app least-privileged and private, and purge sensitive records.