Clawket
ReviewAudited by ClawScan on May 10, 2026.
Overview
Clawket appears to do its stated QR-pairing job, but it reads your OpenClaw Gateway auth token and exposes it in a QR image and plaintext command output.
Review this before installing if your OpenClaw Gateway token grants meaningful local control. Only use it when you explicitly want to pair Clawket, keep the QR code private, avoid copying the printed payload, and delete ~/.openclaw/media/clawket-qr.png after pairing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who sees the terminal output, generated QR code, or PNG file may be able to connect to the user's local OpenClaw Gateway using that token.
The script reads the unredacted OpenClaw Gateway auth token, embeds it in the QR payload, and also prints the full payload to command output. That token is the credential used to connect to the local Gateway.
print(c['gateway']['auth']['token']) ... 'token': '$TOKEN' ... echo "Payload: $PAYLOAD"
Only run this after explicit user confirmation, avoid printing the plaintext token, keep the QR private, delete the generated PNG after pairing, and rotate the Gateway token if it may have been shared.
If invoked, the agent will create and share a QR image that can authorize Gateway access.
The skill directs local shell execution and sending a generated file to the user. This is disclosed and purpose-aligned, but the generated file contains an auth token.
Run the script: `bash SKILL_DIR/scripts/gateway-qr.sh` ... Send the PNG to the user via the `message` tool
Use the skill only for an intentional pairing request and do not share the QR code publicly.
The user may need to install an additional local package before the skill works.
The skill depends on an external QR tool and suggests package-manager installation, while the registry metadata lists no required binaries. This is a visibility/provenance note rather than evidence of hidden behavior.
If `qrencode` is not installed: `brew install qrencode` ... `sudo apt install qrencode` ... `choco install qrencode`
Declare qrencode and python3 as requirements and install them only from trusted package sources.