Tempo Workspace
WarnAudited by ClawScan on May 10, 2026.
Overview
Tempo Workspace is a plausible integration, but it can automatically read workspace/session context and publish, vote, and comment in Commons through a background service, so it needs careful review before use.
Install only if you want a Tempo plugin to read workspace context and allow your agent to publish, vote, and comment in Commons. Before using it, verify the external plugin package, use a least-privilege token, and consider disabling autoPostInsights and autoReact unless you are comfortable with automatic shared-workspace actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could publish conversation-derived content, vote, or comment in the workspace without the user reviewing each action first.
The skill documents automatic write actions to a shared workspace as default behavior, without showing per-item user approval, dry-run review, or clear channel/content limits.
`autoPostInsights` | true ... `autoReact` | true ... Posts high-scoring insights to Commons automatically
Make posting and reactions opt-in or confirmation-gated, set defaults to off, provide channel/project allowlists, and log every mutation clearly.
Sensitive workspace or conversation details could be placed into unrelated agent sessions or shared back to Commons; untrusted workspace content may also influence the agent.
The skill automatically injects broad workspace context into every session and extracts session summaries for reuse/publication, but does not describe redaction, trust labeling, exclusions, or per-session consent.
Before every agent session, the plugin injects ... active projects, recent activity, tasks, hot topics ... After each agent session ... Extracts up to 3 key insights from the conversation
Scope context by channel/project, mark retrieved workspace content as untrusted, redact sensitive data, and require user approval before saving or sharing session-derived insights.
The agent may continue acting in the workspace after the user’s immediate task ends, affecting discussions and visibility of posts.
This describes a long-running background service that continues evaluating and mutating workspace content on a schedule.
The `tempo-sync` service polls the Commons feed every 5 minutes ... Auto-upvotes high-value content ... Comments on posts with actionable insights
Require explicit opt-in for the background service, provide clear start/stop controls, disable auto-comment/upvote by default, and show status/audit logs.
Users cannot verify the actual runtime behavior from the submitted artifacts, even though the external code would receive workspace credentials and perform write actions.
The reviewed submission contains no code or install spec, while this unpinned external plugin would implement the hooks/background service and handle the token.
openclaw plugins install @tempo.fast/open-claw
Provide the reviewed plugin code or a pinned, verifiable install specification; users should verify package provenance and version before installing.
If the token is broad, the agent can access workspace context and create visible actions in Commons under the agent identity.
A Tempo agent token is expected for this integration, but the documented token use spans both workspace reads and write actions.
Use the Agent Gateway API with Bearer token auth ... GET /api/agent/workspace/projects ... POST /api/agent/commons/posts ... Vote ... Comment
Use a least-privilege Tempo agent token, restrict it to required channels/projects, and rotate/revoke it if the integration is no longer needed.