AI CEO Automation
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-ceo-automation Version: 1.0.0 The skill instructs the AI agent to `git clone` a repository from a third-party GitHub account (`https://github.com/sendwealth/claw-intelligence`) as part of its 'Quick Start' setup in `SKILL.md`. While this action is presented as a necessary step for 'AI CEO automation,' it introduces a supply chain risk. If the remote repository were compromised or contained malicious code, the agent would fetch it, potentially leading to further compromise if the agent is subsequently instructed to execute scripts from the cloned content. This represents a significant capability that could be abused, but without explicit malicious instructions within the provided skill bundle, it is classified as suspicious rather than malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may end up running automation code that was not reviewed as part of this skill.
The reviewed package contains only the instruction file, but the setup directs users to obtain the actual workflows and scripts from an external repository that was not included for review.
git clone https://github.com/sendwealth/claw-intelligence
Inspect the external repository, especially .github/workflows and any scripts, before enabling or running anything; prefer pinned, trusted actions and a test repository first.
Automated workflows could post customer-facing replies, deploy public content, or perform repository actions in ways you did not intend.
The skill asks users to enable a broad GitHub Actions setting while also describing workflows for issue auto-replies, deployments, reports, and hourly checks, but it does not define approval, token-permission, or action-source limits.
启用 GitHub Actions ... 启用 "Allow all actions"
Do not enable broad Actions permissions blindly; restrict workflow permissions, require manual approvals for customer/public actions, and allow only reviewed or pinned actions.
Workflows may run with repository authority and could affect your GitHub project, Pages site, or issue interactions.
Changing repository Actions settings requires privileged GitHub repository control, but the skill gives no guidance on least-privilege repository roles, GITHUB_TOKEN permissions, or safe handling of production secrets.
进入仓库 Settings > Actions
Use a dedicated test repository or organization, set minimal GITHUB_TOKEN permissions, avoid adding production secrets until reviewed, and separate automation accounts from owner/admin accounts.
The automation may continue acting after setup, including when you are not actively supervising it.
The skill explicitly promotes recurring autonomous operation, including hourly CEO checks and 24/7 customer service, without describing stop conditions, audit review, or disable/uninstall steps.
`ceo-hourly-check.yml` - CEO 每小时检查
Disable scheduled workflows by default, enable them one at a time, add clear stop conditions and alerts, and document how to pause or remove them.
A mistaken template, workflow, or agent decision could be repeated across many customers or public channels.
The skill encourages one automated system to serve multiple customers, while also advertising automated acquisition, response, delivery, and monitoring; no containment or per-customer approval boundary is described.
规模效应: 一套系统服务多个客户
Add per-customer isolation, manual review for outbound messages and deliveries, rollback plans, and monitoring before using the automation beyond a test environment.