ClawRecipes
Security checks across malware telemetry and agentic risk
Overview
ClawRecipes appears to be a legitimate OpenClaw plugin for scaffolding agents and workflows, but it can change local OpenClaw configuration, run scheduled/workflow tasks, install skills, and use provider API keys when those features are enabled.
Install this if you want OpenClaw recipe-based agent/team scaffolding and workflow automation. Before enabling advanced features, inspect recipes, tool permissions, required skills, media-driver API keys, and cron jobs; leave confirmation gates on unless you intentionally want automated installs or scheduled agent work.
VirusTotal
No VirusTotal findings
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A recipe can grant agents access to file, web, runtime, or other tools depending on the recipe and flags used.
Recipe scaffolding can change an agent's tool permissions, which is central to the plugin's purpose but should be reviewed before applying.
Recipes can define tool policy and apply it into OpenClaw config when you scaffold with `--apply-config`.
Inspect a recipe's tool policy before using --apply-config, and keep high-risk tools limited to roles that need them.
Media workflows may use your configured third-party API keys and may incur provider costs or expose prompts/files to those providers.
The plugin may use provider credentials from local OpenClaw configuration for media workflows; this is disclosed and aligned with media generation, with no artifact evidence of unrelated credential use or exfiltration.
ClawRecipes reads API keys from your OpenClaw config and passes them to media generation scripts (e.g., DALL-E, Kling).
Use least-privileged provider keys, review media workflow definitions, and avoid enabling media drivers you do not trust.
Installing third-party recipes or skills can change what agents are instructed or allowed to do.
The plugin can add recipes or skills from external marketplaces, which is purpose-aligned but expands the trusted code/instruction surface.
- **workspace recipe installs** from the marketplace - **ClawHub skill installs** for agents or teams
Install recipes and skills only from trusted publishers, and review required skills before accepting auto-install prompts.
Incorrect, sensitive, or adversarial content written into shared memory could be reused by later agents.
Bundled recipes create persistent shared memory/context files that can influence future agent sessions.
`shared-context/memory/team.jsonl` (append-only) `shared-context/memory/pinned.jsonl` (append-only, curated/high-signal)
Do not store secrets in shared context, periodically review memory files, and keep pinned memory curated.
If enabled, agents may run periodically and continue processing tickets or updating files without a fresh manual command each time.
Recipes can define recurring scheduled agent work loops. The shown bundled cron job is disabled by default, so this is disclosed/prompted persistence rather than hidden background behavior.
cronJobs:
- id: lead-triage-loop
schedule: "*/30 7-23 * * 1-5"
...
enabledByDefault: falseKeep cron installation on prompt/off unless you intentionally want scheduled automation, and review each cron message and schedule before enabling it.
A user might dismiss a warning too quickly even though the underlying API-key behavior deserves review.
The documentation proactively explains a security warning and discloses the credential-related reason. Users should still treat API-key handling as sensitive rather than relying only on the reassurance.
During install you may see: `Plugin "recipes" has 2 suspicious code pattern(s)`. This is expected ... and is not a security concern.
Read the credential and media-driver documentation before enabling provider workflows, even if the installer warning is expected.