ClawHub

Agent Lifecycle Manager

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

A new agent could inherit all credentials available to the main agent, giving it broader account access than the user intended.

Why it was flagged

When enabled by flag or environment variable, the script copies the entire main agent auth profile into the new agent rather than selecting specific credentials or scopes.

Skill content
INHERIT_AUTH="${INHERIT_AUTH:-0}" ... cp "$HOME/.openclaw/agents/main/agent/auth-profiles.json" "$HOME/.openclaw/agents/$AGENT_ID/agent/"
Recommendation

Use credential inheritance only after an explicit, informed approval. Prefer copying only the specific credential profiles needed for the new agent and document the scopes being transferred.

ConcernHigh Confidence
ASI06: Memory and Context Poisoning
What this means

Sensitive agent data may remain in archive files that could later be shared, synced, committed, or read by other tools.

Why it was flagged

The archive step copies whole agent and workspace directories into a default local state/archive path, which can retain credentials, private workspace contents, and operational context without retention or exclusion controls.

Skill content
ARCHIVE_ROOT="${2:-$(pwd)/state/archive}" ... cp -a "$HOME/.openclaw/agents/$AGENT_ID" "$OUT/agents-dir" ... cp -a "$HOME/.openclaw/workspace-$AGENT_ID" "$OUT/workspace"
Recommendation

Store archives in a protected, non-shared location; exclude or encrypt credential files; and add clear retention and cleanup guidance.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

If run with the wrong agent ID or without proper review, it can remove channel accounts, bindings, and agents from the local OpenClaw node.

Why it was flagged

The script performs high-impact lifecycle mutations, including channel account deletion and forced agent deletion. It is purpose-aligned and archives first, but it includes a no-prompt --yes mode.

Skill content
delete-agent-safe.sh <agent_id> [--yes] ... openclaw channels remove --channel telegram --account "$AGENT_ID" --delete ... openclaw agents delete "$AGENT_ID" --force --json
Recommendation

Review the exact AGENT_ID before running deletion, avoid --yes unless the user has already confirmed, and verify the archive before proceeding.