v1.0.0

Firm Acp Bridge

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:13 AM.

Analysis

This instruction-only skill is openly aimed at ACP reliability, but it asks the agent to persist session keys, spread provider API keys into autonomous sessions, and schedule host-level cron jobs outside the sandbox.

GuidanceReview this carefully before installing or following it. It may be useful for ACP reliability, but only use it with trusted, reviewed implementations of the referenced tools, explicit approval for credential injection and host cron creation, and a clear way to inspect, revoke, and clean up persisted sessions and scheduled jobs.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

**Solution :** Planifier sur la session `main` (accès hôte) via `fleet_cron_schedule`.

The skill explicitly routes scheduled tasks to the main host-access session to avoid sandbox cron restrictions. This exposes host-level command scheduling rather than keeping execution inside an isolated session.

User impactA scheduled command could run repeatedly on the host environment and affect files, credentials, or processes outside the intended sandbox.

RecommendationRequire explicit user confirmation for every host cron entry, restrict commands to reviewed scripts in trusted paths, provide listing/removal controls, and prefer sandboxed execution unless host access is truly necessary.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

"tool": "fleet_cron_schedule", "args": { "command": "node scripts/daily-report.js", "schedule": "0 9 * * 1-5", "session": "main" }

The artifact describes creating recurring autonomous work on the main session. Recurring scheduled execution is persistent behavior that can continue after the original user interaction.

User impactThe agent could leave behind recurring jobs that keep running and making changes unless the user knows how to inspect and remove them.

RecommendationMake scheduled jobs opt-in, visible, time-bounded, and easy to revoke; avoid creating persistent jobs by default.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

requires:\n      - mcp-openclaw-extensions >= 2.0.0\n      - "@agentclientprotocol/sdk >= 0.14.0"

The skill references external dependencies and tools with lower-bound version requirements, while the submitted package contains no code or install spec for reviewing those implementations.

User impactThe safety of the described high-impact tools depends on external components not included in this artifact review.

RecommendationVerify the source and implementation of the required MCP/ACP extensions, pin trusted versions, and review their handling of credentials, session keys, and cron commands before use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

acp_session_persist       — persiste run_id → gateway_session_key sur disque (C4)

The skill directs storage of gateway session keys on disk. These keys may act as delegated session authority, and the artifact does not specify storage path, file permissions, encryption, or user-controlled cleanup beyond stale-session purging.

User impactIf the persisted session-key file is exposed or mishandled, another process or user could potentially recover or reuse active ACP session access.

RecommendationOnly use this with a reviewed implementation that stores session keys in a protected location with restrictive permissions, short TTLs, encryption or OS keychain support where possible, and clear cleanup controls.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

"env_vars": { "ANTHROPIC_API_KEY": "<your_key>", "OPENCLAW_MODEL": "claude-3-5-sonnet-20241022" }

The skill instructs injecting provider credentials into non-main or spawned autonomous sessions. Although this is related to the stated purpose, it expands where API keys are available and includes broad allowed names such as CUSTOM_*.

User impactAutonomous sessions could gain access to paid or sensitive provider credentials, increasing the blast radius if a spawned session behaves unexpectedly or is compromised.

RecommendationUse least-privilege or temporary provider keys, restrict which sessions receive them, avoid broad CUSTOM_* secrets, and require explicit user approval before credential injection.