Workspace Casual Lucas
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This workspace helper exposes unrestricted local command execution and arbitrary file reads, including through WhatsApp triggers, without clear workspace limits or approval controls.
Review carefully before installing. This skill may be useful for trusted local automation, but it effectively gives the agent raw shell and file access. Only enable it in a sandbox or trusted workspace, disable WhatsApp triggers for command execution, and require explicit approval for any command or file read.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or triggering message could cause the agent to run any local shell command, potentially changing, deleting, or exposing files and system state.
The skill directly executes an arbitrary command string supplied as an argument, with no validation, approval gate, working-directory restriction, or sandbox.
run_command: ({ command }) => { ... const output = execSync(command, { encoding: "utf8" });Do not install unless you fully trust the source and need raw shell access; prefer a version with an allowlist of safe workspace commands, explicit approval before execution, and sandboxing.
The skill could read private local files, configuration files, or credentials if a broad path is provided.
The file reader resolves and reads any existing path instead of enforcing that the file is inside the declared OpenClaw workspace.
const resolvedPath = path.resolve(file); ... return fs.readFileSync(resolvedPath, "utf8");
Restrict file access to an approved workspace root, block sensitive paths, and require explicit user confirmation before reading files outside the workspace.
If these triggers are active, a matching WhatsApp message could cause command execution or file access through the agent.
A WhatsApp-channel trigger captures message text and passes it directly into the unrestricted shell command function, with no authentication or approval controls shown in the artifacts.
"pattern": "(?i).*run command (.*)", ... "command": "$1", ... "channels": ["whatsapp"]
Disable external-message triggers for shell/file operations unless sender identity, authorization, and per-action approval are clearly enforced.
It is harder to verify who maintains the skill or whether updates are trustworthy.
The package provenance is not identified, which matters more because the skill grants broad local command and file access.
Source: unknown
Only install high-privilege skills from sources and authors you trust, and review the exact code before enabling them.