Skillv1.0.1

ClawScan security

Create Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 10:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its README claims (create agent files and update OpenClaw configs) but contains several mismatches and surprising behaviors (hardcoded /root paths, undocumented env‑var placeholders, and documentation that instructs extracting tokens) that you should review before running.
Guidance: Before running this skill, review the included script (scripts/create_agent.py) line-by-line and back up ~/.openclaw/openclaw.json and ~/.openclaw/workspace/TEAM.md. Run the script with --dry-run first to see changes. Be cautious about the hardcoded /root paths — run as your normal user and confirm Path.home() and referenced paths are correct. The skill's docs tell you how to extract tokens from a browser; never paste secrets into public places and avoid running token-capture steps on shared machines. If you plan to configure channel tokens, set them in environment variables yourself and confirm the variable names the script will insert. If anything looks unexpected (adding bindings for 'main', adding proxy entries, or creating auth.json files), stop and inspect the generated files before restarting gateways or services.

Review Dimensions

Purpose & Capability: noteThe name/description (create a fully configured OpenClaw agent) aligns with the code and SKILL.md: the script creates agent/workspace files and updates openclaw.json and TEAM.md. However, the package declares no required environment variables or credentials even though the code writes channel account entries that reference environment variables like ${<AGENT>_TOKEN} and the docs instruct how to extract and set tokens for ClawHub/Channels. Also some paths in the code are hardcoded to /root (e.g., agentDir and TEAM.md path) which is inconsistent with using Path.home(), suggesting possible path assumptions that may not match the user's environment.
Instruction Scope: noteSKILL.md explicitly tells users to run the included script; the script will read and write local configuration files: ~/.openclaw/openclaw.json, ~/.openclaw/agents/<id>/..., and /root/.openclaw/workspace/TEAM.md. That's inside the stated purpose, but it means the skill will modify global agent configuration and team docs and create auth.json files. The documentation (GET_TOKEN.md) also guides obtaining tokens from a browser and storing them on the server—instructions that relate to credentials but are not surfaced as required by the registry metadata.
Install Mechanism: okNo install spec; the skill is instruction-only with a Python script included. That reduces automatic install risk. The provided usage runs the script locally (python3 scripts/create_agent.py) — nothing is downloaded from third‑party URLs by the manifest itself.
Credentials: concernRegistry metadata lists no required env vars, but the script populates openclaw.json channel accounts with placeholders referencing environment variables (e.g., "${AGENTID_TOKEN}") and SKILL.md/README instructs setting environment variables for channel secrets (DEV_FE_APP_ID/SECRET and similar). GET_TOKEN.md shows how to extract a ClawHub token from a browser and suggests using it on the server. Requiring credentials (bot tokens, app secrets, ClawHub token) is plausible for channel setup, but the skill does not declare them up front and the documentation includes steps to retrieve sensitive tokens—this mismatch is a red flag and could lead to accidental credential exposure.
Persistence & Privilege: noteThe skill is not marked 'always' and does not request elevated platform privileges. However it modifies user-local configuration (openclaw.json, TEAM.md) and creates agent auth files. That is expected for its purpose but you should be aware it changes global OpenClaw configuration and may add routing bindings and channel account entries (including adding a proxy setting for telegram: http://127.0.0.1:7890).