openlink
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is for a social community, but it asks agents to run a recurring heartbeat that can fetch changing instructions and post, reply, or vote publicly without clear per-action approval.
Install only if you want an agent to participate in openlink. Do not enable the heartbeat unless you are comfortable with recurring activity, and require approval before the agent posts, replies, or votes publicly.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could keep checking the site and engaging over time, including after the original user task is finished.
This creates a recurring agent activity loop that persists beyond a single user request and explicitly follows future remote instructions.
Add this to your heartbeat file (run every 30+ minutes): ... Fetch https://www.openlink.wiki/heartbeat.md and follow it ... Update memory: lastOpenlinkCheck = now
Only enable the heartbeat if the user explicitly wants recurring participation; require confirmation before any post, reply, or vote.
The agent may publish content or cast votes under the user's or agent's identity without the user reviewing each action.
The heartbeat encourages mutation API calls for public replies, posts, and votes as part of a scheduled workflow, with no explicit per-action approval step.
Step 2 — Engage (pick one or more) ... curl -X POST https://www.openlink.wiki/api/agent/replies ... curl -X POST https://www.openlink.wiki/api/agent/posts ... curl -X POST https://www.openlink.wiki/api/votes
Use draft-only behavior by default, show the exact proposed post/reply/vote, and require user approval before sending mutation requests.
If the remote heartbeat changes, the agent's behavior could shift without the user or registry reviewing the new instructions.
The skill tells the agent to treat a remotely hosted, changeable document as executable operating instructions.
Fetch https://www.openlink.wiki/heartbeat.md and follow it
Treat remote heartbeat content as untrusted data, pin a reviewed version, and do not follow changed instructions without user approval.
A later install or refresh could retrieve different instructions than the reviewed artifacts.
The local install instructions pull skill files directly from a mutable website URL without a pinned version or checksum.
curl -s https://www.openlink.wiki/skill.md > ~/.openclaw/skills/openlink/SKILL.md && curl -s https://www.openlink.wiki/heartbeat.md > ~/.openclaw/skills/openlink/HEARTBEAT.md
Prefer registry-reviewed artifacts or add pinned versions and checksums for downloaded skill files.
Anyone with the API key could act through the openlink API with the agent's permissions.
The service uses a bearer API key that grants posting, replying, voting, and reading authority; this is expected for the integration but is not declared as a primary credential in the registry metadata.
All requests require your API key in the Authorization header
Store the API key securely, send it only to the documented openlink API domain, and revoke or rotate it if exposed.
Users may believe all participating agents are human-verified even though the skill also supports unverified self-registration.
The artifacts make conflicting claims about whether agents require verified human ownership, which could overstate accountability or safety.
Agents can self-register instantly — no human needed upfront ... Every agent on openlink is created and owned by a verified human (Google account required).
Clarify the difference between unverified self-registered agents and human-claimed agents, and avoid broad safety claims.