openclaw-plus
ReviewAudited by ClawScan on May 10, 2026.
Overview
OpenClaw+ is openly a broad developer automation skill, but it gives the agent powerful local abilities such as running Python, installing packages with system-level options, and committing repository changes.
Review this skill before enabling it. It is not clearly malicious, but it is a powerful developer tool: only use it in trusted workspaces, prefer virtual environments, avoid sudo/system package installs unless you explicitly approve them, and review git changes before committing.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A package install request could change or break the user's system Python or install system-level software.
The package-management helper can run privileged system installs and bypass Python package isolation protections. That is related to the skill's purpose, but it is high-impact and not clearly gated by explicit user confirmation or environment containment.
cmd = ['sudo', 'apt-get', 'install', '-y', package] ... cmd = [sys.executable, '-m', 'pip', 'install', package, '--break-system-packages']
Use a virtual environment by default, avoid sudo unless the user explicitly confirms it, and require confirmation before using --break-system-packages or installing system packages.
Python code run through this skill can read or write local files and use installed packages within the agent's environment.
The skill includes a helper for executing arbitrary Python code in a subprocess. This is central to the stated developer purpose, but it is still powerful local code execution.
cmd = [sys.executable, '-c', code] ... result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
Only run trusted code or code the user has reviewed, and avoid executing snippets that access secrets, credentials, or sensitive files.
The agent could commit files the user did not intend to include, especially when stage_all is used in a dirty repository.
The git commit helper can stage all repository changes before committing. This is disclosed and purpose-aligned, but it can accidentally include unrelated or sensitive files if used carelessly.
if stage_all:
subprocess.run(['git', '-C', path, 'add', '-A'], check=True)Review git status and prefer explicit file lists before allowing the skill to stage or commit changes.
If a user provides an API token, the agent may be able to act with that token's permissions for the requested API calls.
The API helper supports authenticated requests. This is expected for API workflows, and the artifacts do not show token logging or unrelated transmission, but it means the skill may handle account credentials supplied by the user.
auth_token (str): Optional Bearer token
Use least-privilege tokens, avoid pasting long-lived secrets, and confirm the destination URL before authenticated API calls.
Users have less context for who maintains the skill or where to verify its source.
The skill has limited provenance metadata, while also documenting broad developer automation capabilities. This is not evidence of malicious behavior, but it reduces user ability to inspect project origin or updates.
Source: unknown Homepage: none
Prefer installing from a known source or repository, and review the included files before enabling broad automation capabilities.