ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw menubar

v1.0.0

Enable OpenClaw as a native macOS menu bar app with quick access popup. **macOS ONLY** - not compatible with Windows or Linux. Use when user asks to "enable menubar", "add menu bar", "run in menu bar", "make it accessible from menu bar", or wants quick OpenClaw access without opening full dashboard.

0· 695·0 current·0 all-time
by@prab002
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the code: this is an Electron-based macOS menubar app that embeds the OpenClaw webchat and auto-discovers a local gateway. One discrepancy: some docs (MARKETPLACE.md, distribution notes) claim cross-platform builds, while SKILL.md and other files emphasize macOS-only. This is likely documentation inconsistency rather than malicious behavior.
Instruction Scope
Runtime instructions (SKILL.md) tell the agent to run provided scripts (install/start/stop/status) and the included code reads ~/.openclaw/openclaw.json, tries common local URLs, and may run the 'openclaw status' CLI. All of these actions are consistent with auto-discovery and local authentication for a gateway app.
Install Mechanism
No registry install spec is declared; scripts/install.sh calls npm install in the packaged assets which will pull dependencies declared in package.json/package-lock.json. This is expected for an Electron app, but npm will fetch packages from public registries — review package.json and package-lock.json if you want to audit third-party dependencies before installing.
Credentials
The skill does not request environment variables or external credentials. It does read and persist local config files (~/.openclaw/openclaw.json and ~/.openclaw/menubar-config.json) and extracts an OpenClaw gateway token for auto-auth. Reading the gateway token is proportional to the stated purpose, but you should be aware the token is handled locally (inserted into a load URL and into websocket query params).
Persistence & Privilege
The app writes a persistent config (~/.openclaw/menubar-config.json), registers a custom protocol handler (openclawmenubar://) for OAuth callbacks, and registers a global keyboard shortcut. These are normal for a native helper app but are persistent system-level changes — not automatically dangerous but worth noting.
Assessment
This package appears to do what it says: it installs an Electron menubar app that auto-discovers your local OpenClaw gateway and uses any token found in ~/.openclaw/openclaw.json to authenticate. Before installing: 1) Inspect package.json/package-lock.json for untrusted dependencies (npm install will fetch packages). 2) Review scripts/install.sh and scripts/start.sh to see what they run. 3) Be aware the app will read ~/.openclaw/openclaw.json (to extract gateway URL/token) and will save ~/.openclaw/menubar-config.json. 4) The app registers a custom protocol handler (openclawmenubar://) and a global shortcut — these are normal for UX but are persistent. 5) If you care about tight security, build/run the app in a disposable account or VM first, and verify the token handling and network endpoints are local (localhost/LAN). Finally, note the minor documentation inconsistency about cross-platform support (the code is macOS-focused); if you need non-macOS support, ask the maintainer for clarification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d54zrbpscdqxzjrtrw95ngh811kma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments