Raon OS
PassAudited by ClawScan on May 10, 2026.
Overview
Raon OS appears purpose-aligned for startup plan analysis, but it uses local scripts, optional API keys, a local/webhook server, and stored conversation history that users should configure carefully.
Install only if you are comfortable with a local CLI/server tool processing startup documents. Configure only the API keys you intend to use, protect ~/.openclaw/.env, set the Kakao webhook secret before exposing the server, and review/clear stored history when working with confidential business plans.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can run local Python/shell scripts against files you select, such as business-plan PDFs.
The package entry point executes the bundled raon.sh script with user-provided CLI arguments. This is command execution, but it is disclosed and central to the skill's CLI workflow.
const result = spawnSync(sh, process.argv.slice(2), { stdio: "inherit", shell: false, });Run it only from a trusted install source, keep the package updated, and avoid passing untrusted file paths unless you intend the skill to process them.
If configured, provider API keys may be used to send prompts or business-plan content to the selected LLM or managed API.
The skill expects optional LLM, Kakao, and managed-service API keys. This is normal for the stated integrations, but those credentials can authorize provider usage and spending.
API keys are stored in ~/.openclaw/.env (user-managed, chmod 600 recommended).
Use least-privilege keys where possible, keep ~/.openclaw/.env readable only by you, and remove keys you do not intend this skill to use.
Business ideas, plan details, or user messages may be retained locally or in configured external storage.
The Kakao integration retains per-user conversation history, and the README also describes evaluation history and feedback storage. This persistence is disclosed but can involve sensitive startup information.
세션 관리 — user.id 기반으로 대화 히스토리 유지 (최대 20턴)
Do not submit confidential material unless you are comfortable with the configured retention and provider settings; clear local history or disable external storage if needed.
If the server is exposed publicly, external callers may reach webhook endpoints and potentially trigger LLM/API usage.
The documentation supports exposing the local server through ngrok for Kakao webhooks and describes the HMAC secret as optional. This is a normal integration path, but public exposure without a secret can invite unwanted requests.
KAKAO_CALLBACK_SECRET=your-secret # 선택사항 ... ngrok http 8400
Set KAKAO_CALLBACK_SECRET, keep admin/API endpoints behind localhost or a firewall, and avoid exposing port 8400 broadly unless required.