Skillv1.2.0

ClawScan security

AGI Farm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 9:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the advertised multi‑agent setup, but it performs persistent system changes (cron / LaunchAgent), writes/updates workspace files, and runs subprocesses (openclaw, gh) — these behaviors are coherent with its goal but elevate risk and deserve careful review before installing.
Guidance: This skill appears to do what it says, but it makes persistent changes (writes to ~/.openclaw/workspace, registers cron jobs and a macOS LaunchAgent, launches agent processes via the openclaw CLI, and can push to GitHub via the gh CLI). Before installing or enabling: 1) Inspect generate.py, dashboard.py and scripts/auto-dispatch.py (they are included) to confirm no unexpected network endpoints or credential exfiltration. 2) Run the setup in dry‑run mode (the dispatcher supports a non‑--execute dry run) and avoid selecting 'Create GitHub repo' until you ensure 'gh' is authenticated as you intend. 3) Backup ~/.openclaw and review any cron/LaunchAgent entries created; consider running first in an isolated environment (VM or throwaway user account). 4) If you don't want persistent services, skip registering cron/LaunchAgent and run dashboard/dispatcher manually. 5) If unsure, ask for a short code walkthrough of generate.py and dashboard.py to confirm they don't call remote URLs or upload workspace data.

Review Dimensions

Purpose & Capability: okThe name/description (bootstrap multi‑agent team, dashboard, dispatcher) align with included files (generate.py, auto-dispatch.py, dashboard.py, React dashboard). Using the OpenClaw CLI and optionally GitHub is expected for this purpose.
Instruction Scope: concernSKILL.md instructs the agent to write into ~/.openclaw/workspace, create team.json, generate files, register cron jobs, install a macOS LaunchAgent, and invoke openclaw agent sessions. Those are within the stated goal, but they permit broad file I/O, persistent job registration, and automated agent invocation — operations that can affect many user files and system services and therefore require explicit user consent and inspection.
Install Mechanism: okNo external download/install URL is used; the skill is instruction‑only in metadata but includes source files in the bundle. There is no installer that fetches arbitrary remote code at runtime, which reduces supply‑chain risk. The React bundle and Python scripts are included in the package.
Credentials: noteThe registry declares no required env vars, but SKILL.md and code expect an 'openclaw' binary on PATH (with fallback path) and may call 'gh' for GitHub pushes; the README suggests OPENCLAW_BIN overrides and 'gh auth login' for GH. The skill does not request cloud/API keys directly, but it will use any existing CLI credentials (e.g., gh auth) and the user's filesystem. This is mostly proportional but users should be aware it will act using their CLI authentication context.
Persistence & Privilege: concernThe skill sets up cron jobs and a persistent macOS LaunchAgent to run the dashboard/dispatcher. That gives the code ongoing presence and automatic execution on the host. While reasonable for a long‑running ops dashboard and dispatcher, persistence combined with autonomous agent triggering increases blast radius and should be explicitly authorized by the user.