Skillv1.0.0

ClawScan security

Agents-Manager-and-IM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 5:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly matches an agent-management tool but includes surprising/toxic elements (a hard-coded Operator token, shell execution of user-controlled messages, and file-system operations under ~/.openclaw) that increase risk and deserve caution.
Guidance: This package implements the claimed UI and local agent management, but exercise caution before installing: - Do not run it on a sensitive machine as-is. The server executes shell commands and can read/write/delete files under ~/.openclaw. That includes use of `rm -rf` and `openclaw` CLI invocations. - The repository contains a hard-coded openclawToken in server.js/config.json — treat that as a leaked secret. Confirm whether it is a dummy token; if it is real, rotate it and do not use the packaged value. Prefer configuring the gateway URL and token via secure environment variables rather than embedded constants. - The server inserts user-supplied message text directly into a shell command with only limited escaping, which can enable command injection (for example via $(...) or backticks). Before running, review/patch the code to avoid shell interpolation (use child_process.spawn with args array or an API that accepts input without shell interpretation) and validate/sanitize inputs. - If you still want to use this tool: run it in an isolated, non-privileged environment (container or dedicated VM), back up ~/.openclaw, and inspect/replace any embedded credentials. Prefer the version that reads tokens from a secure config or env, and remove/replace the hard-coded token. What would change this assessment: confirmation from the author that the token is intentionally dummy (and not usable), and proof that command execution paths have been rewritten to avoid shell interpolation (or a clear whitelist/sanitization). If those are provided, the tool looks much more coherent and lower-risk.

Review Dimensions

Purpose & Capability: noteFiles and runtime instructions implement an agent-management web UI and CLI and interact with an OpenClaw gateway and local agent workspaces — this is coherent with the stated purpose. However, the repository contains a hard-coded openclawToken in server.js and config.json instead of requiring it from environment/config, which is unexpected and unnecessary for a reusable skill.
Instruction Scope: concernRuntime code reads and writes files under the user's home (~/.openclaw), scans workspace-* directories, copies identity/soul files, and executes system commands (openclaw CLI, nc, rm -rf). The server executes shell commands that include user-supplied text (message) interpolated into a shell command with only minimal escaping of quotes/newlines — this creates command injection risk. These behaviors go beyond serving UI assets and are high-impact (file modification, deletion, and arbitrary command execution).
Install Mechanism: okThis is an instruction-only skill with source files included and no external download/install steps. No remote payloads are fetched at install time. Risk comes from what the shipped code does at runtime rather than from installer behavior.
Credentials: concernSKILL.md declares no required env vars, but the code embeds an openclawToken value and references an OpenClaw gateway URL. A legitimate manager would accept an operator token via configuration or env var; shipping a token in code is disproportionate and a credential-leak risk. The code also accesses many home-directory paths (~/.openclaw) which is plausible for this tool but amplifies the impact of any secret misuse or flaw.
Persistence & Privilege: notealways:false (no forced inclusion), and the skill does not request to persist itself in manager configuration. It does, however, write agent directories and a global agents.json under ~/.openclaw and exposes endpoints that can delete agent directories via rm -rf. Those write/delete privileges are expected for an agent manager but are dangerous if the code is exploited or improperly sandboxed.