Firm Acp Bridge
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill needs review because it directs agents to store session keys, copy provider API keys into spawned agents, and schedule host-level cron commands outside the sandbox.
Install only if you trust the ACP/MCP tool implementation and need host-level autonomous session management. Before use, verify the external packages, use scoped disposable API keys, require manual approval for cron jobs, confirm where session keys are stored, and ensure there is a clear way to audit and remove scheduled tasks and persisted sessions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A scheduled command could run on the user's host outside the sandbox, affecting files or processes beyond the intended isolated agent session.
The skill explicitly works around sandbox-denied cron tooling by scheduling commands on the main host-access session.
Cron tools sur la denylist sandbox ... Solution : Planifier sur la session `main` (accès hôte) via `fleet_cron_schedule`.
Require explicit user approval for every host cron entry, prefer sandboxed execution, restrict commands to a reviewed allowlist, and provide clear list/remove/audit controls.
Spawned agents could gain access to paid model-provider accounts or other provider privileges if keys are copied broadly or into the wrong session.
The skill instructs users to propagate provider API keys into spawned or cron-driven non-main sessions, while the registry declares no env vars or credentials.
`fleet_session_inject_env` — injecte provider env vars dans sessions non-main ... `ANTHROPIC_API_KEY`: `<your_key>`
Use least-privilege, per-session, revocable tokens; declare required credentials in metadata; inject only with explicit user approval and only into named trusted sessions.
If the persisted session store is readable by unintended users or agents, they may be able to resume or interfere with ACP sessions.
Gateway session keys are authentication/session material; persisting them to disk is high-impact, and the artifact does not specify file path, permissions, encryption, or access controls.
`acp_session_persist` — persiste run_id → gateway_session_key sur disque
Document and enforce a restricted storage path, file permissions, retention limit, encryption or OS keychain use, and safe deletion of stale session keys.
Automated tasks may continue running after the original request, potentially using credentials or modifying the host environment later.
The documented workflow creates recurring autonomous activity on the main session, but the artifact does not describe lifecycle controls such as listing, disabling, or cleanup.
`fleet_cron_schedule`, `schedule`: `0 9 * * 1-5`, `session`: `main`
Add explicit lifecycle management: show created jobs, require confirmation, set expiration by default, and document how to disable or remove scheduled tasks.
Users cannot verify from these artifacts how the credential injection, session persistence, locking, or cron scheduling tools are implemented.
The high-impact tools are referenced as external dependencies, but the submitted package has no install spec, no code files, no capability tags, and no reviewed implementation for those tools.
requires: - mcp-openclaw-extensions >= 2.0.0 - "@agentclientprotocol/sdk >= 0.14.0" ... Tools activés
Provide reviewed implementation files or pinned install specifications, declare capabilities and credentials in registry metadata, and pin trusted dependency versions or checksums.