Claude Code Openclaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent local Claude Code workflow helper, but it can edit/run code, install hooks, and keep run logs, so users should use conservative profiles and scoped repositories.
Install/use this only for repositories where you are comfortable letting local Claude Code edit files and run development commands. Prefer safe permission modes, avoid bypass profiles unless explicitly needed, verify any installed hooks, and keep generated .claude/orchestrator logs private or clean them after use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a bypass profile is selected, Claude Code may run shell commands and modify files with fewer prompts.
The skill includes an explicit high-trust profile that can bypass Claude Code permission prompts and auto-approve Bash. This can be legitimate for deliberate local automation, but it is high-impact if used on an untrusted repository or without user awareness.
local-bypass:
permission_mode: bypassPermissions
auto_accept_bypass_warning: true
auto_approve_bash: trueUse the default-safe or acceptEdits mode unless you explicitly trust the repository and task; avoid bypass profiles for unknown codebases.
Installing the latest global package can change over time and may affect the local development environment.
The documentation includes a user-directed global install using an unpinned latest package. This is a common setup pattern but introduces normal package supply-chain/version drift risk.
npm install -g @fission-ai/openspec@latest
Pin package versions where possible and install global tools only from trusted sources.
Local run logs may retain project paths, command snippets, and status messages after the task completes.
The hook logger records compact command, path, message, and working-directory metadata to a JSONL log. This is useful for observability, but command snippets or paths may contain sensitive project information.
"command": compact_text(command, limit=120),
"path": compact_text(file_path, limit=120),
"message": compact_text(message, limit=120),
"cwd": compact_text(payload.get("cwd")Avoid putting secrets in command lines, keep orchestrator logs private, and periodically clean run logs if they are no longer needed.
Completion summaries may be sent to the configured OpenClaw target.
The skill can optionally dispatch completion updates through the OpenClaw message command to a specified account and target. This is purpose-aligned for progress notifications but is still an inter-session/message boundary.
cmd = [
openclaw_bin,
"message",
"send",
"--account",
args.notify_account,
"--target",
args.notify_target,
"--message",
message,Only configure notification targets you control, and avoid including secrets or private source details in user-update messages.
Local Claude hook configuration may be changed so the orchestrator can log lifecycle events.
Claude lifecycle hook installation is enabled by default for orchestrated runs. The visible artifacts frame this as observability/recovery plumbing, but hooks are a persistence mechanism users should be aware of.
ap.add_argument("--install-hooks", dest="install_hooks", action="store_true", help="Install Claude lifecycle hooks before launch (default: on)")
ap.set_defaults(install_hooks=True)Review hook installation behavior before first use, use --no-install-hooks if not needed, and remove generated hooks/logs when finished.