Skillv1.0.0

ClawScan security

Agents-Manager-and-IM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 5:07 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (local OpenClaw agent manager) but includes surprising/discordant items (a token-like string in docs and unsafe shell usage) that increase risk and warrant review before installation.
Guidance: This package implements a local OpenClaw agent manager and legitimately needs access to ~/.openclaw and an Operator Token. However: (1) README includes a token-like value — do not assume it is safe to reuse; treat it as sensitive, remove it, and rotate any real token if it was exposed. (2) The server runs shell commands (openclaw, nc, rm -rf) and constructs commands with values derived from user-supplied names/messages; that introduces command-injection risk. Before installing, review/patch the code to properly shell-escape or avoid shelling out (use direct APIs), sanitize agent names (remove/encode special chars), and ensure messages are handled safely. Run the service on a local, isolated host (not exposed to public networks), do not run as root, and keep your Operator Token out of shared files. If you lack the ability to audit or patch the code, prefer not to run it or run it inside a restricted container/VM and rotate your Operator Token afterwards.
Findings: [hardcoded-credential-like-string-in-README] unexpected: README.md contains a token-looking value (ZZitPPb3LZmDH2c_...) despite project claiming no hardcoded tokens; this is inconsistent and could leak a credential or confuse users into using a shared token. [unsafe-shell-exec-insertion] unexpected: server.js and server-gemini.js build shell commands using template strings and exec/execSync (e.g. `openclaw agent --agent ${agentId} --message "${safeMessage}"`). agentId is derived from user-provided name using only whitespace replacement, and is not fully shell-escaped/quoted — this can lead to command injection if names contain special characters. Messages are partially escaped but using shell execution still risks injection or unexpected behavior. [destructive-filesystem-ops] expected: The code runs `rm -rf` on agent directories when deleting agents. Destructive filesystem operations are expected for delete operations but are high-risk; ensure the server is not exposed to untrusted networks and validate inputs.

Review Dimensions

Purpose & Capability: okThe files and runtime behavior match the stated purpose: a local web UI and API that lists, creates, chats with, and deletes OpenClaw agents by reading/writing ~/.openclaw, interacting with the local OpenClaw gateway, and serving a browser UI. Access to ~/.openclaw paths is consistent with an agent manager.
Instruction Scope: noteSKILL.md instructs the user to read ~/.openclaw/devices/paired.json to obtain the Operator Token and to run the included node server. Those steps are coherent for configuring a local manager, but the runtime code also executes shell commands (openclaw, nc, rm -rf) and runs agent processes in workspace directories — actions that have side effects on the host and deserve careful review.
Install Mechanism: okNo external download or installer is used; the package is intended to be run via npm install / node. That is proportionate for a Node-based local tool. There is no install script that fetches arbitrary binaries from unknown hosts.
Credentials: concernThe skill reads and writes files under ~/.openclaw and asks the user to supply an Operator Token from ~/.openclaw/devices/paired.json — which is expected. However the README contains a token-like string (an Operator Token example) and the package metadata claims 'no hardcoded tokens'. Presence of a token-like literal in documentation is inconsistent and risky (could be a real credential or encourage copying a leaked token).
Persistence & Privilege: noteThe skill persists agent data under ~/.openclaw (creates agent dirs, agents.json) and deletes them with rm -rf when requested; this is expected for a manager. always:false (no forced inclusion). The capability to remove directories and execute system commands increases blast radius, so run with least privilege and local-only exposure.