Skillv2.0.1

ClawScan security

Complex Task Subagent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 31, 2026, 11:42 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (subagent/task orchestration) but contains multiple inconsistencies and system-impacting instructions (editing device pairing, writing under /root, external git clone recommendations, undeclared binary dependencies) that warrant caution before installing.
Guidance: This skill implements a complex subagent orchestration framework, but several red flags mean you should be careful before installing or running it: - Provenance: SKILL.md recommends cloning a Gitee repo even though code is bundled — confirm the source and review the remote repo before running any clone/pull. - System changes: The instructions ask you to edit ~/.openclaw/devices/pending.json to auto-approve multiple tools and to restart the gateway. That weakens pairing controls and affects all agents on the host — avoid enabling automatic approvals unless you understand and accept this risk. - Privileges and paths: Scripts read/write under /root/.openclaw and expect to run with filesystem access. Prefer running in a sandbox or non-production environment first, and back up any config files before modifying them. - Undeclared dependencies: The registry metadata says no required binaries/env vars, but the scripts expect python3, jq, git, openclaw/sessions_spawn and other utilities. Install and verify these dependencies explicitly and inspect scripts for what they will execute. - Network and credentials: The workflow includes git push to Gitee and sending notifications (Feishu), which will use your git/SSH credentials or external API keys. Do not run push/upload steps until you review commit content and credentials used. Recommended next steps: 1) Review the bundled scripts line-by-line (especially anything that edits ~/.openclaw/devices/pending.json, calls external URLs, or runs git push). 2) Run locally in an isolated test environment or VM, not on a production system or your primary account. 3) Do not apply the device autoApprove change; instead manually approve only the tools you trust. 4) Ensure required binaries (python3, jq, git, openclaw CLI) are present and inspect their use. 5) If you need this functionality but are uncomfortable, request a version that avoids system-wide config edits and documents required deps and exact network endpoints. If you want, I can enumerate the exact commands/files that modify system config and point to lines to inspect first.

Review Dimensions

Purpose & Capability: noteThe name/description claim complex subagent orchestration, and the included scripts and docs implement that functionality (sessions_spawn, checkpoints, cron integration, Heartbeat). However the package declares no required binaries or env vars while the scripts clearly expect tools like python3, jq, git, openclaw/ sessions_spawn and other system utilities; the SKILL.md also instructs cloning an external Gitee repo despite the skill bundle including files — this mismatch is unexplained.
Instruction Scope: concernRuntime instructions and docs tell the operator/agent to write into system paths under /root/.openclaw, edit ~/.openclaw/devices/pending.json to auto-approve devices/tools, restart the gateway, run sessions_spawn/openclaw CLI commands, and push to Gitee. These steps change system-wide pairing/approval behavior and perform network operations; they go beyond simple in-skill task orchestration and grant the skill broad ability to alter runtime and network state.
Install Mechanism: noteThere is no formal install spec in the registry, but SKILL.md recommends git cloning from a Gitee repo (https://gitee.com/GoSundayPlus/complex-task-subagent-skill.git). The skill package already contains scripts/docs, so recommending an external clone is inconsistent and raises provenance questions (why fetch additional code outward if files are bundled?). The clone target is a third-party repo (not a well-known release host like GitHub releases), which increases risk if the user follows those instructions.
Credentials: concernThe registry lists no required credentials or env vars, but the skill expects access to system config and user git/ssh credentials (for git push to Gitee), the openclaw gateway, and to modify ~/.openclaw/devices/pending.json to auto-approve tools. It also implicitly requires tools (jq, python3, git, sessions_spawn/openclaw) that are not declared. Asking to autoApprove 'browser, cli, openclaw-control-ui' affects device/tool pairing beyond this skill's immediate purpose and is disproportionate without explicit justification.
Persistence & Privilege: concernThe skill does not set always:true, but its instructions explicitly modify system configuration (~/.openclaw/devices/pending.json) and gateway behavior (restart), which grants persistent, system-wide effects. It also instructs creating skills under the skills directory and performing git pushes. Those actions allow lasting changes to the agent environment and can increase blast radius if abused.