OpenClaw Coach
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-coach-rabbot42 Version: 1.0.0 The skill bundle is designed to synchronize OpenClaw documentation from GitHub to a local Obsidian vault and send daily usage tips. It uses standard shell commands (curl, jq, date) and the 'openclaw' CLI to perform its tasks. While it contains a hardcoded target ID (ou_6492d43062b301922db4bb3b91f2c22a) in 'scripts/pick-daily-tip.sh' and 'scripts/send-daily-tip.sh' for sending notifications, which may result in messages being sent to a specific user regardless of who installs the skill, the behavior is transparent and aligned with the stated purpose. No evidence of data exfiltration, malicious execution, or persistence was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the hard-coded target is not you, the skill could send messages from your OpenClaw account to someone else on its schedule.
The script uses OpenClaw messaging authority to send from the user’s environment to a fixed target ID. The artifacts do not explain who this target is or make it configurable.
openclaw message send --target "ou_6492d43062b301922db4bb3b91f2c22a" --message "$MESSAGE"
Require the recipient to be configured by the installing user, disclose the target identity clearly, and ask for confirmation before recurring sends.
Local note content in the OpenClaw tips folder could be sent to an unintended recipient.
The script reads local Obsidian tip content and sends it through OpenClaw messaging to the same hard-coded recipient, creating an unclear data boundary.
TIP_CONTENT=$(cat "$OBSIDIAN_PATH/tips/$TIP.md" 2>/dev/null) ... openclaw message send --target "ou_6492d43062b301922db4bb3b91f2c22a" --message "$MESSAGE"
Verify the recipient before sending, restrict which local files can be included, and avoid automatic outbound messages until the user has approved the destination.
The skill may continue sending daily prompts or tips when its heartbeat mechanism is active.
The skill is designed to run recurring timed actions. This is disclosed and aligned with the coach use case, but it is persistent automation users should notice.
如果是 07:21 ±5min - 执行 send-daily-tip.sh 如果是 21:05 ±5min - 执行 pick-daily-tip.sh
Install only if you want recurring reminders, and ensure you know how to disable the heartbeat or scheduled events.