OpenClaw Safe Agent CLI MCP
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is documented as a safety-focused local CLI wrapper, but the bundle registers MCP servers whose implementation files are not included, so its promised safeguards are not evidence-backed.
Treat this as a Review item, not proven malware. The concept is coherent and safety-oriented, but the supplied bundle lacks the actual server code it registers. Before installing, verify that the complete packages/ implementation is present, buildable, and reviewed; then configure narrow allowedRoots and use dry-run mode before allowing writes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this bundle may either fail to run or depend on unreviewed/missing code for the very safeguards it advertises.
The MCP bundle is configured to launch server entrypoints under packages/*/dist, but the supplied file manifest contains only top-level metadata/docs files and no packages directory or implementation code.
"args": ["${CLAUDE_PLUGIN_ROOT}/packages/claude-cli-mcp/dist/index.js"] ... "args": ["${CLAUDE_PLUGIN_ROOT}/packages/codex-cli-mcp/dist/index.js"]Only install after obtaining and reviewing a complete source package that includes the packages/* server code, build outputs, and any lockfiles or build instructions needed to reproduce them.
If a user or agent approves real execution, the downstream coding CLI may make changes in the selected workspace.
The skill exposes MCP tools that can invoke local Claude/Codex task workflows. The documented write gate is purpose-aligned, but the capability can still modify a project when explicitly enabled.
`claude_task` | Dry-run first, write gate required for real execution ... `codex_task` | Dry-run first, write gate required for real execution
Keep allowedRoots narrow, use dryRun first, and approve allowWrites only for repositories where local code changes are acceptable.
Runs may use the user's local provider account/session and whatever permissions those CLIs have in the selected workspace.
Real executions rely on the user's already-authenticated local Claude/Codex CLI accounts, which is expected for this integration but important privilege context.
The local Claude CLI and/or Codex CLI installed and authenticated if you plan to execute real runs.
Use dedicated or appropriately scoped CLI accounts where possible, and avoid running against sensitive repositories without reviewing the complete implementation.
Code or prompt content provided to the tool may be processed by the downstream local CLI and its associated provider behavior.
The core design passes prompts and project context between a primary agent and a nested local Claude/Codex agent over MCP.
your primary agent can call a second local coding agent as a tool
Do not send secrets in prompts, keep project roots limited, and review downstream CLI privacy/settings before enabling real runs.