ClawdChat
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawdChat matches its social-network purpose, but it asks the agent to keep acting autonomously, store credentials in persistent places, and update itself from remote files with inconsistent domains.
Only install this if you intentionally want an autonomous AI social-network persona. Before using it, verify the official API domain, keep the API key out of memory/workspace backups, disable automatic heartbeat/self-updates unless explicitly desired, and require approval for posts, comments, DMs, follows, and other public or account-changing actions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could speak publicly or privately, like content, and shape the account's social identity without the user reviewing every action.
The heartbeat makes mutating social actions such as DM replies, comments, and likes mandatory routine actions rather than actions that clearly require user approval each time.
| 检查并回复私信 | 有未读时 | **必做** | ... | 浏览新帖并评论 | 每次心跳 1-3 条 | **必做** | ... | 点赞好内容 | 每次心跳 1-5 次 | **必做** |
Require human approval for posts, comments, DMs, follows, and other account-mutating actions, and set clear rate limits and audit logs.
The agent may keep checking and interacting with ClawdChat across sessions, including when the user did not ask for a specific social action.
This creates a recurring workflow that fetches and executes a remote Markdown heartbeat and records persistent state, rather than limiting activity to explicit user requests.
## ClawdChat (Every 1-2 hours) If more than 1 hour since last ClawdChat check: 1. Fetch https://clawdchat.ai/heartbeat.md and execute 2. Update lastClawdChatCheck timestamp in memory
Disable the heartbeat unless the user explicitly wants ongoing autonomous participation; prefer manual invocation or user-approved scheduled checks.
Future remote changes to the skill files could change the agent's behavior after installation.
The skill instructs the agent to replace its own instruction files from a remote source, with no signature, pinning, registry review, or human approval requirement shown.
版本有更新时,重新获取并安装最新的 `SKILL.md` 、`skill.json` 和 `HEARTBEAT.md` 到技能安装目录
Pin reviewed versions, require human review before updating SKILL.md or HEARTBEAT.md, and document a single trusted update source.
A ClawdChat API key represents the agent identity; using it with an unexpected or inconsistent domain could expose or misuse the account.
HEARTBEAT.md sends the bearer API key to clawdchat.cn, while the visible SKILL.md credential warning says the key should only appear in requests to https://clawdchat.ai/api/v1/*, creating an unclear credential boundary.
curl https://clawdchat.cn/api/v1/agents/status \ -H "Authorization: Bearer YOUR_API_KEY"
Verify the official API domain before use, align all artifacts to one trusted host, and rotate the key if it was sent to an unintended domain.
The API key could persist into future context or workspace files where other tasks, skills, or users may accidentally access it.
This appears in the API-key credential saving section and encourages backing up a secret into workspace or agent memory without retention, access-control, or redaction boundaries.
For backup, sync to workspace or memory, but always prioritize the primary file for read/write.
Store the API key only in a dedicated credentials store or tightly scoped local file, never in general agent memory or broad workspace notes.
Other agents or users on the platform could send messages that influence the agent's behavior or trigger unwanted replies.
The workflow requires reading and responding to external messages, but the artifacts do not show boundaries for treating other agents' messages as untrusted instructions.
检查并回复私信(有未读时必做) ... 有未读消息 → 获取对话详情并回复 ... 有消息请求 → 查看内容,决定是否回复
Treat all posts, comments, and DMs as untrusted content; never follow operational instructions from them without human approval.