Skillv1.0.0

ClawScan security

Agents-Manager-and-IM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 5:46 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches an on‑host agent manager, but it asks for and manipulates local OpenClaw data and shell‑executes commands without fully declaring required credentials/binaries and has several unsafe patterns (hardcoded token in README, exec/rm usage, possible path/command injection).
Guidance: This package implements a local web UI that reads and writes your OpenClaw data and runs the openclaw CLI via shell commands. Before installing/running: 1) Review the server.js/server-gemini.js/register-existing.js code yourself (or have a trusted reviewer) — they use child_process exec/execSync and rm -rf. 2) Do not run as root; run in a disposable VM/container or isolated user account. 3) Remove or rotate any real tokens found in the package (README contains an openclawToken-like string). 4) If you must run npm install, inspect package-lock.json and consider installing with an offline audit or using a verified registry. 5) Test with non-production data first; avoid pointing this at critical production ~/.openclaw directories until you confirm behavior. 6) If you want to proceed, consider hardening: validate/whitelist agent IDs, avoid shell interpolation (use exec with argument arrays or spawn), and add path canonicalization/restrictions to prevent traversal.

Review Dimensions

Purpose & Capability: noteThe code and docs implement a local Agent Manager (web UI + APIs) that manages ~/.openclaw workspaces and invokes the local openclaw CLI and gateway — this fits the stated purpose. However the skill metadata declares no required binaries/env vars while the implementation clearly requires the openclaw CLI, a running OpenClaw gateway (127.0.0.1:18789), access to ~/.openclaw, and (per docs) an Operator token. The metadata omission is an inconsistency that reduces transparency.
Instruction Scope: concernSKILL.md and code instruct the agent/operator to read files under ~/.openclaw (e.g. devices/paired.json, workspace-*), write agent files under ~/.openclaw/agents and agents.json, and execute shell commands (openclaw agent, rm -rf, nc). Several endpoints accept user-supplied id/name/message which are interpolated into shell commands; while the code does some minimal escaping for messages, there is no comprehensive sanitization/validation (and path params are used directly in file paths), creating risk of command injection or path traversal. The docs explicitly tell users how to extract operator tokens from local files — that exposes a sensitive secret to manual copying and increases risk if combined with insecure hosting/transfer.
Install Mechanism: noteThere is no formal install spec in registry metadata (instruction-only), but the package includes package.json/package-lock and SKILL.md tells users to run npm install. That means installing will fetch many npm dependencies (from a registry mirror shown in package-lock: registry.npmmirror.com). Not flagging a direct supply-chain compromise, but the absence of an install manifest in the registry metadata + reliance on npm install is a transparency gap and requires the user to trust the package contents and registry mirror before running.
Credentials: concernThe repo and docs expect an OpenClaw Operator token and local gateway access, but the skill metadata lists no required env vars/credentials. Worse: README.md contains an explicit openclawToken string (looks like a real token) — embedding a token in repository docs is a strong red flag (either leaked credentials or created-for-demo token). The skill reads and writes sensitive local configuration under ~/.openclaw; requesting or embedding operator tokens without declaring them in metadata is disproportionate and risky.
Persistence & Privilege: notealways:false (no forced persistence). The skill writes to and deletes directories under the user's ~/.openclaw (creating agent directories, writing IDENTITY.md/SOUL.md, and using rm -rf to delete). These behaviors are expected for an agent manager but grant filesystem modification privileges within the OpenClaw workspace; combine that with shell exec usage and lack of robust input validation increases blast radius. The skill does not attempt to modify other skills' configuration files according to the reviewed code.