Outclaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to execute local scripts that were not part of the reviewed package, so the user cannot verify what those helpers do from the supplied artifacts.
The skill instructs the agent to run local helper scripts, but the supplied manifest says this is an instruction-only skill with no code files and no install spec. That creates a provenance gap for code the agent is told to execute.
bash ~/.openclaw/skills/outclaw/shared/scripts/outclaw_daily_batch.sh --n 15 --stale-after-days 7
Include the referenced scripts and validators in the package, pin their provenance, or avoid instructing automatic execution of absent local code.
A routine outreach-planning request could cause the agent to run local commands before explaining what it is doing.
The instructions require shell and Python execution as an automatic first-step workflow for outreach requests, even though the executable files are not included in the reviewed artifacts.
Your first tool calls, in order, before any narrative: ... bash ~/.openclaw/skills/outclaw/shared/scripts/outclaw_daily_batch.sh ... python3 ~/.openclaw/skills/outclaw/shared/scripts/plan_scaffolder.py
Require explicit user approval before running local scripts, and provide the scripts in the reviewed artifact set.
The skill may need access to outreach accounts or paid services, but the reviewed metadata does not make those boundaries clear before installation.
These signals indicate high-impact account and payment-related authority, while the registry metadata lists no required env vars, primary credential, or config paths. The visible SKILL.md also does not clearly define credential scopes or cost controls.
can-make-purchases; requires-oauth-token; requires-sensitive-credentials
Declare required credentials, OAuth scopes, and any purchasing or billing behavior explicitly, and require user confirmation for any paid or account-mutating action.
Lead and prospect information may be stored locally in a temporary file with more detail than is needed for the visible chat response.
The skill requires broad local persistence of retrieved lead data, including all nested fields, but does not specify data minimization, retention, file permissions, or cleanup.
Write the ENTIRE MCP response JSON to `/tmp/leadbay-pull.json` verbatim ... EVERY lead, EVERY key, EVERY nested object.
Store only the fields needed for the plan, use a private per-user cache location with restrictive permissions, and document cleanup or retention behavior.
The agent may help prepare or manage outreach actions, so users should review each message and campaign step before approval.
The skill is designed for outreach actions that can affect real recipients and campaigns, but it does disclose safety hardrails requiring per-touchpoint approval and opt-out handling.
Enforces top-level hardrails (daily cap, per-touchpoint approval, feedback authority, opt-out, reply handling) BEFORE routing.
Keep the per-touchpoint approval requirement, daily caps, and opt-out handling mandatory and visible to users.
Recipients may believe the user personally wrote outreach messages unless the user adds disclosure or reviews wording carefully.
Writing in the user's voice is purpose-aligned for an outreach assistant, but the artifact explicitly optimizes for messages that do not reveal AI involvement.
You are acting AS the user ... Every email must read as if the user themselves wrote it ... no AI-tell.
Users should review generated outreach for accuracy, appropriateness, and any disclosure obligations before sending.