Back to plugin
Pluginv1.0.4
ClawScan security
KDP Author Engine — Full 6-Agent Bundle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 16, 2026, 5:42 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The bundle's files and runtime instructions do not match the advertised 'KDP Author Engine' purpose and include scripts and policies that give agents broad local access (browser profile, memory files) and the ability to send external messages — review before installing.
- Guidance
- This bundle contains general multi-agent workspace policies and helper scripts rather than KDP-specific tooling. Before installing: 1) Inspect and, if needed, remove or edit tools/openclaw-browser-keepalive.sh and openclaw_issue_check.sh — they launch Brave with a persistent user-data dir (reusing your logged-in browser state) and can send a Discord message via the openclaw CLI. 2) Confirm you trust any local OpenClaw CLI configuration and Discord integration referenced by the scripts. 3) Move or sanitize any memory/USER.md files that contain sensitive personal data. 4) If you only want KDP publishing features, ask the author for a minimal skill that only needs the explicit KDP API credentials and does not reuse shared browser profiles or automatic external notifications. If you want me to, I can list the exact lines that post externally or open the CDP port and suggest edits to limit external actions.
Review Dimensions
- Purpose & Capability
- concernThe skill is named 'KDP Author Engine', but the checked-in content is a general OpenClaw multi-agent workspace (AGENTS.md, SOUL.md, BROWSER_PLAYBOOK, social media policies, keepalive and issue-check scripts). There is no KDP- or Kindle-specific tooling or credentials. The requested/contained capabilities (shared logged-in browser profile, Discord notifications, filesystem memory files) do not align with the narrow purpose implied by the name.
- Instruction Scope
- concernThe agent instructions and supporting docs instruct agents to read local memory and identity files, maintain long-term memory files, reuse a persistent shared browser profile (including cookies/login state), and run provided shell scripts. The scripts can launch Brave with a persistent user-data dir and open a CDP port, and can run openclaw CLI commands that may send messages to a Discord channel. These behaviors allow reading sensitive local data and interacting with external services and are broader than a simple 'author engine' would imply.
- Install Mechanism
- okThere is no install spec — the skill is instruction-only with two helper shell scripts. Nothing is downloaded from remote URLs or installed automatically by the skill package itself.
- Credentials
- concernThe skill declares no required env vars, but it hardcodes and references sensitive local paths (/Users/leobiz/.openclaw/, a persistent browser profile path, /tmp status files) and a Discord channel id inside a script. The ability to reuse the user's browser profile and to call openclaw message send implies access to credentials/session state stored locally — a level of access that is not justified by the skill name and not declared explicitly.
- Persistence & Privilege
- noteThe skill does not request 'always: true' and does not include an install that writes system-level config. However, the workspace docs explicitly instruct agents to persist and update memory files and to reuse browser login state; the keepalive script will attempt to launch Brave to keep a shared CDP-enabled browser profile running. That gives local agents ongoing access to logged-in sessions if the scripts are run or scheduled by the user.