Unity Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Unity Editor control skill, but it exposes broad project-changing and script-execution powers while its documented safety setting conflicts with the registry metadata.
Install only if you are comfortable giving OpenClaw broad control over a Unity Editor session. Use a backed-up or test project first, verify whether model invocation is actually disabled in your registry settings, restrict gateway network exposure, and require explicit approval for asset deletion, package installation, and script.execute actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe Unity-changing tools cannot be called unless explicitly requested, even though the registry settings shown here allow autonomous invocation.
The documentation presents disabled model invocation as a security property, while the registry metadata indicates the agent can invoke the skill autonomously.
metadata: "disable-model-invocation: false"; SKILL.md: "disableModelInvocation: true" and "AI가 자동으로 도구를 호출하지 않음"
Align the registry setting and documentation. If autonomous invocation is allowed, clearly disclose it and require confirmations for destructive or code-executing Unity actions.
A mistaken or autonomous tool call could delete project assets, modify scenes or components, install Unity packages, or otherwise change the project state.
The gateway extension accepts an arbitrary Unity tool name and parameter object, then forwards it to Unity without an allowlist or confirmation layer shown in the artifact. The documented tool set includes destructive and environment-changing actions.
extension/index.ts: "tool: { type: \"string\" ... }" and "session.pendingCommands.push({ tool, arguments: parameters || {} })"; references/tools.md: "asset.delete - Delete asset" and "package.add"Add explicit allowlists, per-action confirmations for destructive/package/script tools, safer defaults, undo/dry-run guidance, and clear session selection before executing commands.
The agent can cause code or methods to run inside the Unity project, which may change runtime state, PlayerPrefs, editor state, or project behavior.
The skill documents a Unity-side command execution feature, including reflection-based method calls. This is useful for development but is a powerful execution capability.
"script.execute" ... "Execute command" ... "reflection-based method calls" ... "MyClass.MyStaticMethod()"
Use this only in backed-up development projects and require explicit user approval before any script.execute or reflection-based call.
If the gateway route is reachable by an unintended local or network client, that client may be able to observe Unity session metadata or interfere with command/result flows.
The HTTP bridge exposes session status, command polling, and result submission flows, but the provided handler does not show authentication or origin restrictions beyond knowing a sessionId; the status endpoint also returns session IDs.
"Access-Control-Allow-Origin", "*"; "case \"status\"" returns "sessionId"; "case \"poll\"" reads "sessionId" from query parameters; "case \"result\"" accepts "sessionId, toolCallId, result"
Require authentication or per-session secrets, restrict CORS and network exposure, avoid exposing session IDs through status, and document the intended trust boundary.
Installing the skill adds persistent gateway code that can expose the unity_execute tool while the gateway is running.
The install script copies the included extension into the OpenClaw gateway extensions directory, making it loadable after a gateway restart. This is disclosed and user-directed.
EXTENSION_DST="$HOME/.openclaw/extensions/unity" ... cp -r "$EXTENSION_SRC"/* "$EXTENSION_DST"/
Run the installer only from a trusted checkout, review extension/index.ts before installation, and remove ~/.openclaw/extensions/unity if you no longer need the bridge.