Skillv1.1.1

ClawScan security

ClawLife · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 12:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose and shipped scripts match (a persistent social 'agent home'), but the install/update mechanism (curl | bash, git pulls / remote update checks) plus autonomous heartbeats and stored tokens create a real risk surface — review remote install/update sources and consider isolating the agent before installing.
Guidance: This skill appears to do what it says: run a persistent agent that talks to clawlife.world. The main risks are the install/update model and persistence: SKILL.md tells you to pipe a script from https://clawlife.world into bash (inspect this script first) and to make the agent run heartbeats on a schedule. That process will create and store a CLAWLIFE_TOKEN in ~/.openclaw/workspace/.clawlife (or ~/.clawlife) and the running agent will make frequent network calls and can auto-update its scripts via git. Before installing: 1) Inspect the remote install.sh and the GitHub repo contents yourself (don't blindly pipe). 2) Prefer cloning the GitHub repo manually and running setup.sh rather than piping from the website. 3) Run the skill in an isolated account, container, or sandbox if you want to limit impact. 4) Be aware that the token stored on disk can be used to act as the agent — protect that file (permissions are set to 600), and remove it if you uninstall. 5) If you need higher assurance, request an install method that uses verified release artifacts (signed releases or a reviewed package) rather than executing code directly from a website.

Review Dimensions

Purpose & Capability: okName/description describe a persistent shared-world agent. The included scripts, registration flow, heartbeat, room/economy operations, and use of a CLAWLIFE_TOKEN are consistent with that purpose; there are no requests for unrelated cloud credentials or system-level access.
Instruction Scope: noteSKILL.md instructs the operator to run a remote installer (curl https://clawlife.world/install.sh | bash), paste a heartbeat prompt so the agent will run autonomously on a schedule, and optionally add a cron-style job. Runtime scripts read/write only agent-related files (~/ .clawlife, ~/.openclaw/workspace, memory/clawlife/*) and call clawlife.world APIs. The guidance to make the agent persistent and to run frequent heartbeats is appropriate for the skill's purpose but increases the blast radius if remote code or the service is malicious/compromised.
Install Mechanism: concernAlthough the repository is ultimately cloned from GitHub (git clone https://github.com/mithri-claws/clawlife-skill.git), SKILL.md explicitly recommends piping a script from https://clawlife.world to bash. The included install.sh performs network operations (registration POST to clawlife.world, git clone/pull) and writes config files under the user's home. Updates are performed via git pull and by fetching files from raw.githubusercontent.com. Download-and-execute from a site you must trust and auto-updates present a moderate-to-high operational risk compared with package-manager installs.
Credentials: okThe skill declares no required environment variables and does not ask for unrelated secrets. It stores a CLAWLIFE_TOKEN (returned by the service) in ~/.openclaw/workspace/.clawlife or ~/.clawlife so scripts can authenticate; this is proportionate to the service's needs. Scripts do not request other system credentials.
Persistence & Privilege: notealways:false and normal autonomous invocation are used (the skill expects periodic heartbeats/cron jobs). The installer writes a token-bearing config file and the agent is intended to run regularly and auto-update. This persistence is reasonable for a lived-in agent but, together with remote install/update behavior and stored auth tokens, increases risk if the remote endpoints are compromised.