Skillv1.0.0

ClawScan security

add-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 10:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's claimed purpose (creating a new agent and wiring a Telegram bot) is coherent, but the runtime instructions are vague and include operations that duplicate credentials, perform global config edits, and use unsafe shell patterns — these behaviors increase risk and need careful review before use.
Guidance: This skill generally does what it says, but proceed carefully. Before running: 1) Ensure you know where your openclaw.json (CONFIG_PATH) actually resides and back it up manually (don't rely on wildcard restores). 2) Inspect main/auth-profiles.json — it may contain tokens/credentials; decide whether the new agent should receive those secrets or if you should copy only a sanitized subset. 3) Enforce a safe AGENT_ID character policy (alphanumeric, hyphen/underscore) to avoid path traversal or injection. 4) Prefer safer JSON edits (jq or a small script) and atomic file writes rather than ad-hoc appends; validate and review the modified openclaw.json before restarting the gateway. 5) Avoid handing BOT_TOKEN through insecure channels; provide it securely when prompted. If possible, test the procedure in a non-production environment first. These changes reduce the chance of accidental credential exposure or configuration corruption.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the SKILL.md details creating workspaces, updating openclaw.json, copying skills/auth and configuring Telegram binding. The meta.json requirement of python3 aligns with using python -m json.tool for validation.
Instruction Scope: concernInstructions tell the agent to read and modify the global openclaw.json, copy auth-profiles.json (potentially containing secrets), copy the full skills directory, and change ownership. Several important variables (e.g., CONFIG_PATH/where to find openclaw.json) are assumed but not clearly defined. There is no input sanitization (AGENT_ID, BOT_TOKEN, ALLOW_FROM), no protection against path traversal or injection, and restore instructions use a wildcard pattern (cp ${CONFIG_PATH}.bak.* ${CONFIG_PATH}) which is unsafe. These gaps could lead to accidental config corruption or unintended disclosure/duplication of secrets.
Install Mechanism: okThis is an instruction-only skill with no install actions or external downloads. That's lower risk; the only runtime dependency is python3 (declared in _meta.json) and is justified by the JSON validation step.
Credentials: noteThe skill does not request environment variables or external credentials, which is consistent. However, it instructs copying auth-profiles.json from the main agent into the new agent's directory — effectively duplicating whatever credentials live there. Copying credentials is plausible for convenience but increases attack surface and may be disproportionate unless the user intends the new agent to have identical access. The SKILL.md doesn't offer an option to exclude or filter sensitive entries.
Persistence & Privilege: noteThe skill modifies the global openclaw.json and agent-to-agent bindings (expected for creating a new agent). It does not request always:true or persistent privileges. Still, writing to global config and enabling agentToAgent communication are privileged actions: users should review resulting openclaw.json changes before restarting services.