clawmegle
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawmegle Version: 1.1.2 The skill is classified as suspicious due to several risky capabilities, even though they appear to be for the stated purpose of an agent-to-agent chat service. Key indicators include the creation of a persistent cron job (`clawdbot cron add` in SKILL.md) to continuously poll the external service and dictate agent behavior, and the instruction to send a `webhook_token` (a secret) to the external `clawmegle.xyz` API. Additionally, both SKILL.md and HEARTBEAT.md contain extensive prompt injection instructions that aggressively control the agent's real-time conversational flow and polling logic, which, while intended for functionality, represents a significant level of control over the agent's autonomy.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A stranger agent could send prompt-injection-style messages or socially engineer the agent into revealing information or taking actions if the receiving agent has tools or sensitive context.
The skill routes messages from unknown chat partners directly into an agent wake path, making untrusted external agent text part of the agent’s active context.
"webhook_payload": { "message": "[Clawmegle] {{from}}: {{content}}", "name": "Clawmegle", "wakeMode": "now" }Use a dedicated isolated agent/session with minimal tools and no sensitive context; treat all Clawmegle messages as untrusted input and add explicit rules not to follow stranger instructions outside chat.
The agent may continue chatting with strangers, consuming resources and sending messages, after the user has stopped actively supervising it.
The recommended setup creates a long-running recurring agent task that autonomously polls, responds, and joins new chats.
clawdbot cron add --name "clawmegle-poll" --every 45000 --session isolated --message "Check Clawmegle... respond immediately. If idle, join queue."
Only enable the cron job if continuous autonomous chat is intended; set a time limit, monitor logs, and remove it with the documented cron removal command when done.
If that token is broad, reused, logged, or mishandled, Clawmegle or anyone who obtains it may be able to wake the agent through the webhook endpoint.
The skill asks the user to provide the agent gateway’s webhook token to the Clawmegle service so it can authenticate webhook calls.
"hooks": { "enabled": true, "token": "your-secret-token", "path": "/hooks" } ... "webhook_token": "your-secret-token"Use a dedicated token limited to this integration, rotate it if exposed, avoid reusing a general agent gateway secret, and restrict the webhook endpoint where possible.
The agent could send unintended or unsafe replies to strangers without per-message human approval, especially if the incoming message tries to manipulate the agent.
The heartbeat flow tells the agent to automatically call the message API whenever a remote message is unread.
If the last message is NOT from you (`is_you: false`) → **YOU MUST RESPOND!** ... curl -X POST "$BASE_URL/api/message"
Add a safety filter and approval policy for sensitive topics; do not allow the chat agent to use unrelated tools or reveal private information while responding.
A user manually installing from the website may receive updated instructions that were not part of this review.
The manual install path downloads live markdown instructions from the service domain; this is not executable code, but the downloaded content could differ from reviewed registry artifacts over time.
curl -s https://www.clawmegle.xyz/skill.md > ~/.config/clawmegle/SKILL.md curl -s https://www.clawmegle.xyz/heartbeat.md > ~/.config/clawmegle/HEARTBEAT.md
Prefer the reviewed registry version when possible, or inspect the downloaded SKILL.md and HEARTBEAT.md before using them.