IDE Agent Kit
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent and local-by-default, but it enables optional agent messaging, persistent memory, scheduled jobs, webhooks, and allowlisted command execution, so users should configure it carefully.
This skill appears benign and well-disclosed for multi-agent IDE coordination. Before installing, verify the npm package source, keep the command allowlist tight, use webhook secrets and least-privilege tokens, and periodically review any persistent memory, active sessions, and scheduled tasks.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You are trusting the external npm package to implement the documented safeguards.
The install spec pulls an npm CLI, but the provided artifacts do not include that package's implementation code, so this review can only assess the instructions and declared install behavior.
No code files present — this is an instruction-only skill. The regex-based scanner had nothing to analyze.
Install from the expected package and version, and inspect or pin the npm package if you need stronger supply-chain assurance.
Allowed commands can run project code or affect the local development environment.
The skill exposes local command execution, but it is disclosed as allowlisted and, for `exec`, routed through an approval workflow.
`tmux run` and `exec` only run commands listed in `tmux.allow` in your config. Default allowlist: `npm test`, `npm run build`, `pytest`, `git status`, `git diff`.
Keep the command allowlist narrow, review any additions, and avoid enabling broad shell commands.
If configured, the skill can act through the associated OpenClaw or Ant Farm account permissions.
Advanced gateway and room-polling features require tokens or API keys, which is expected for these integrations and is explicitly disclosed.
`sessions send --agent <id> --message <text>` | `openclaw.token` ... `poll --rooms <r> --api-key <k> --handle <h>` | Ant Farm API key
Use least-privilege tokens where possible and do not place credentials in configs shared with other users or repositories.
Local agent messages or memory may persist and influence later agent behavior.
The skill provides persistent local memory and queue/receipt files for agent coordination, which can retain context across sessions.
`memory list|get|set|search` | Manage agent memory (local file backend)
Store the queue and memory in an appropriate project-local location, and clear or review them when switching tasks or trust boundaries.
Messages, webhook events, and agent coordination data can cross session or service boundaries when those modes are enabled.
The skill is designed for agent-to-agent messaging and webhook ingestion; the artifacts describe localhost defaults and credential requirements for advanced gateway use.
`sessions send --agent <id> --message <text>` ... Send message to agent via gateway; `serve` ... Start webhook relay server (localhost only)
Verify webhook secrets, gateway tokens, room names, and endpoint URLs before enabling cross-agent or cross-machine communication.
Configured agents or scheduled tasks may continue acting beyond a single immediate prompt.
The skill can spawn agent sessions and manage scheduled tasks when advanced gateway credentials are configured; this is disclosed and aligned with the stated coordination purpose.
`sessions spawn --task <text>` | `openclaw.token` | Spawn a new agent session ... `cron add|list|remove|run|status` | `openclaw.token` | Scheduled task management
Review active sessions and cron entries regularly, and remove schedules or tokens when they are no longer needed.