ClawHub
Back to skill
v1.0.0

openclaw-cheatsheet

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

This is mostly a documentation-only OpenClaw CLI cheatsheet, but it includes unexpected examples for running an unreviewed local Node script and creating a calendar event through an external tool.

GuidanceUse this as a CLI reference only after reviewing the examples. Do not run the discussion_runner.js live-mode command unless you have inspected and trust that local script, and remove or replace the gog calendar example before copying commands. Continue requiring explicit confirmation before config, gateway, cron, agent, message, or other state-changing operations.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
references/openclaw-cheatsheet.md
node ~/.openclaw/workspace-shared/scripts/discussion/discussion_runner.js --topic "주제" --mode live --rounds 3

The primary reference includes a live-mode command that executes a local Node script outside the package and outside the stated OpenClaw CLI cheatsheet scope.

User impactA user or agent could run unreviewed local code with the user's local files and connected-service access.
RecommendationRemove this example from the cheatsheet or clearly mark it as an optional external workflow; provide the script source/provenance, require explicit user confirmation, and prefer dry-run mode until reviewed.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
README.md
gog calendar create iam@minhl.net --summary "퀵 호출" --from "2026-02-20T09:00:00+09:00" --to "2026-02-20T09:15:00+09:00"

The README provides a copy-paste example for an unrelated calendar tool with a fixed email/account target, which does not match the stated OpenClaw CLI reference purpose and mutates external account data.

User impactIf copied or surfaced by an agent, this could create a calendar event in the wrong account or encourage use of an unrelated credentialed tool.
RecommendationReplace this with an OpenClaw-specific example, remove the hard-coded email, and require the user to supply and confirm any external account target before running calendar mutations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/openclaw-cheatsheet.md
`DISCORD_PANEL_WEBHOOK_URL` | 디스코드 웹훅 (에이전트 페르소나 전송)

The reference documents a Discord webhook URL, which is credential-like and can post to Discord if exposed or misused.

User impactUsers may need to handle Discord webhook secrets carefully if they use that optional workflow.
RecommendationOnly configure webhook URLs for workflows you intend to use, keep them out of shared files, and rotate them if accidentally exposed.