v1.6.1

Unity Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This Unity skill matches its stated purpose, but it grants broad project-changing and code-execution control while its autonomy and HTTP bridge boundaries are not clearly enforced.

GuidanceInstall only in a trusted development environment, back up your Unity project first, verify whether model auto-invocation is actually disabled, keep the gateway local/private, and require manual approval before asset deletion, package installation, play/input automation, or script execution.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityHighConfidenceHighStatusConcern

metadata

disable-model-invocation: false (default — agent can invoke autonomously, this is normal)

This conflicts with SKILL.md and README claims that disableModelInvocation is true and that the AI will not automatically call tools. For a Unity control skill with destructive and code-execution tools, that is a material trust mismatch.

User impactA user may install it believing Unity actions require explicit requests, while the registry setting allows the agent to invoke the skill autonomously.

RecommendationVerify the effective disable-model-invocation setting before use, align the registry and documentation, and require explicit confirmation for destructive, package, input, play-mode, and script-execution actions.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

extension/index.ts

tool: { type: "string" ... }, parameters: { type: "object" ... } ... session.pendingCommands.push({ tool, arguments: parameters || {} })

The gateway registers a broad dispatcher that queues arbitrary Unity tool names and parameter objects to the active Unity session. The documentation lists high-impact operations such as object destruction, component changes, asset deletion, package installation, and script execution.

User impactA mistaken or autonomous tool call could modify the wrong Unity scene, delete or move project assets, change components, or install packages.

RecommendationAdd tool allowlists, explicit session selection, dry-run/preview behavior, and confirmation gates for destructive or project-wide changes.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

references/tools.md

script.execute ... Execute command. Supports Debug.Log, Time, PlayerPrefs, and reflection-based method calls ... MyClass.MyStaticMethod()

The skill explicitly exposes Unity-side command execution and reflection-based method calls, which can change runtime state, saved preferences, or project behavior beyond safer scoped editor operations.

User impactThe agent could run powerful Unity code paths or reflection calls that alter gameplay state, editor state, project data, or test outcomes.

RecommendationRestrict script execution to reviewed allowlisted commands or methods, log all executed code, and require user approval before running any arbitrary code or reflection call.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/install-extension.sh

EXTENSION_DST="$HOME/.openclaw/extensions/unity" ... cp -r "$EXTENSION_SRC"/* "$EXTENSION_DST"/

The setup script installs the included extension into OpenClaw's extension directory. This is purpose-aligned and does not show remote downloads, but the registry lists no install spec, so users should notice the persistent extension install step.

User impactInstalling the skill can add a gateway extension that remains available after setup, rather than being only a passive instruction file.

RecommendationReview the included extension code before running the install script, and remove ~/.openclaw/extensions/unity if you no longer want the bridge installed.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Auto-connects when Unity opens

The Unity bridge is designed to reconnect automatically when Unity opens. This is disclosed and central to the skill's purpose, but it means the bridge can persist beyond a single explicit task.

User impactUnity may remain connected to the OpenClaw gateway whenever the plugin is enabled, allowing future tool use without reinstalling.

RecommendationDisable the Unity bridge or remove the gateway extension when not actively using agent-driven Unity control.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

extension/index.ts

res.setHeader("Access-Control-Allow-Origin", "*"); ... case "status": { ... sessionId: s.sessionId ... }

The HTTP bridge allows any browser origin and exposes Unity session IDs through a status endpoint, with no authentication or origin validation visible in the extension code. Polling and result submission also rely on session IDs.

User impactIf the gateway endpoint is reachable, another local or network client could enumerate Unity sessions, interfere with queued commands, or spoof command results.

RecommendationBind the bridge to trusted local interfaces only, require authentication or signed session tokens, avoid exposing session IDs unnecessarily, and validate Unity client identity for poll/result endpoints.