Skillv1.0.0

ClawScan security

Agent Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 5:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code largely matches an agent-manager purpose, but it embeds a hard-coded Operator token, reads/writes ~/.openclaw data, and runs shell commands built from user input—these inconsistencies raise security concerns and require code review before use.
Guidance: This package mostly does what it says (a local agent manager) but has clear risks you should address before running it: 1) Do not run it as-is — inspect the code. Remove the hard-coded openclawToken and configure tokens via environment variables or a local config file with appropriate filesystem permissions. 2) Review and harden places that call the shell: message text is embedded into zsh commands with only minimal escaping, which can allow shell injection. Replace shell calls with direct API calls or robust argument-escaping (avoid composing commands via strings). 3) Back up ~/.openclaw before installing — the server can write and delete agent directories (rm -rf). 4) Run the service in a restricted environment (non-root user, container, or VM) until you vet it. 5) If you plan to use it, prefer server-gemini/server.js edits to remove any hard-coded secrets, add strict input sanitization, and limit network access. If you are uncomfortable auditing the code, do not install/execute it.
Findings: [hardcoded_secret_in_source] unexpected: server.js contains a hard-coded openclawToken value (cleartext). A manager should accept credentials from the user/environment rather than shipping a token in code. [shell_exec_usage] expected: The skill executes shell commands (child_process.exec / execSync) to call the local 'openclaw' CLI and perform file operations. This is functionally expected for an agent manager that orchestrates a CLI, but it increases risk because some commands embed user-controlled input. [reads_local_config_and_tokens] expected: SKILL.md and code read ~/.openclaw/devices/paired.json and other workspace files to obtain tokens and workspaces. That is required for integrating with local OpenClaw, but it's sensitive data and should be handled carefully.

Review Dimensions

Purpose & Capability: noteThe name/description (agent manager, Gemini-style UI) align with the included server and frontend files. However the metadata declared no required credentials or binaries while the code expects an OpenClaw CLI (openclaw) and local OpenClaw data under ~/.openclaw. The skill therefore requires access and tools that the registry metadata did not advertise.
Instruction Scope: concernRuntime instructions and code read sensitive local files (e.g. ~/.openclaw/devices/paired.json, ~/.openclaw/workspace-*, ~/.openclaw/agents, agents.json) and instruct running the service on localhost. The SKILL.md even shows commands to cat paired.json to get operator tokens. HTTP endpoints call into the local workspace and the server executes openclaw CLI commands; chat messages are passed into shell commands. This surface collects and manipulates local agent configuration and tokens—more privilege than a simple UI—and the instructions encourage exposing operator tokens.
Install Mechanism: noteThere is no remote download/install spec in the registry (instruction-only), but the package contains code and a package-lock.json so 'npm install' will fetch public npm packages. Dependencies are standard (express, cors, uuid, node-fetch). No third-party binary downloads or obscure URLs were observed.
Credentials: concernThe repository contains a hard-coded openclawToken in server.js/README and instructs users to place an Operator Token in config.json / obtain it from ~/.openclaw/devices/paired.json, but the skill metadata lists no required environment variables or credentials. Embedding a token in code and instructing users to expose local token files is disproportionate and risky. The skill also requires access to the user's home OpenClaw directories (reads/writes), which are sensitive.
Persistence & Privilege: noteThe skill is not always-enabled and does not request special platform privileges. It does persist state into ~/.openclaw (agents directories and agents.json), and API endpoints can delete agent directories via rm -rf—expected for an agent manager but destructive if misused. This is within the scope of an agent manager but worth noting before granting access.