ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Agent 创建器

v1.0.0

创建新的 OpenClaw Agent。用于当用户要求创建新 agent、添加新机器人、配置新模型测试环境时触发。

0· 135·1 current·1 all-time
by@axelhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (agent creator) match the actions it instructs: creating workspace directories, copying agent templates, and updating ~/.openclaw/openclaw.json. Required artifacts (templates, models.json, auth.json) are expected for an agent creator.
Instruction Scope
Instructions explicitly require creating directories and editing the global OpenClaw config (~/.openclaw/openclaw.json). The included templates direct agents to read local memory and logs (MEMORY.md, daily logs, etc.), which is consistent with agent behavior but widens what the created agent will access. No network exfiltration endpoints or obfuscated operations are present in the instructions.
Install Mechanism
No install spec and no code files are executed—this is instruction-only and thus has low installation risk. The skill only copies included templates from the skill path to the workspace.
!
Credentials
The skill does not request environment variables, but it instructs storing third-party channel credentials (Feishu appId/appSecret) into openclaw.json. Storing secrets in plaintext config files is a security concern; users should be aware they must supply sensitive values and that those values will be written into a local JSON file unless they take alternate precautions.
Persistence & Privilege
always is false and the skill is user-invocable. It does modify a global OpenClaw configuration file (~/.openclaw/openclaw.json), which is expected for creating agents but means it has the ability to change runtime agent lists and bindings. This is proportionate to its purpose but worth being cautious about.
Assessment
This skill appears to do what it says: create agent workspace directories, copy templates, and update your ~/.openclaw/openclaw.json. Before running it, review the templates and back up ~/.openclaw/openclaw.json. If you provide Feishu/Lark credentials (appId/appSecret), note the skill instructs you to place them in openclaw.json (likely plaintext)—consider using a secrets manager or restricting file permissions. Also be mindful when adding agent IDs to agentToAgent.allow or broad channel bindings: limit them to only the agents/accounts you intend to expose. If you want extra assurance, manually perform the steps the first time rather than copying files automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk9725gennmxfx32xrpr60jxems832rv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments