v1.3.0

Openclaw Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

This skill is not clearly malicious, but it asks for broad automated management authority to read/send team messages, run recurring jobs, store employee data, and expose employee profiles through MCP/cloud integrations.

GuidanceInstall only if you want an autonomous management assistant with access to team communication and employee context. Use local mode first, keep integrations disabled until reviewed, inspect `~/.openclaw/skills/boss-ai-agent/config.json`, confirm all cron jobs with `cron list`, and avoid connecting the cloud/MCP endpoint until you understand what employee data and permissions are shared.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

"Message read/send": reads team channels and sends check-in questions, reminders, summaries, and alerts on the boss's behalf ... "Register cron jobs using [cron add]" ... "Send a test message using [message send]"

The skill directs the agent to use high-impact messaging and scheduling tools, including recurring jobs and outbound messages, without showing an explicit final confirmation step for recipients, timing, or content.

User impactThe agent could start recurring management automations and send messages to team channels on the user's behalf if configured carelessly.

RecommendationRequire an explicit approval screen or confirmation before adding cron jobs or sending any message; review the generated config, recipients, channels, and schedule before enabling.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

"You are PROACTIVE. You don't wait to be asked. You patrol, detect, alert, and recommend." ... "Cron scheduling: registers recurring jobs (check-in, chase, summary, briefing, signal scan)."

The artifacts intentionally create ongoing autonomous behavior through proactive patrols and recurring scheduled jobs, which can continue after the initial invocation.

User impactThe skill may keep monitoring and acting on team/project signals until its cron jobs are removed.

RecommendationStart with automation disabled or in dry-run mode, then enable only the specific cron jobs needed; regularly use `cron list` and `cron remove` to audit or disable jobs.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Install specifications: No install spec — this is an instruction-only skill.

There is no executable installer, but the publisher/source provenance is limited while the skill requests broad operational authority.

User impactUsers have less provenance information to rely on before granting the skill access to team communications and automation tools.

RecommendationVerify the publisher, homepage, and repository before granting broad messaging, scheduling, or employee-data permissions.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

"BOSS_AI_AGENT_API_KEY" ... "Connects to manageaibrain.com cloud for full mentor configs, web dashboard, and cross-team analytics"; "MANAGEMENT_BRAIN_API_KEY" is accepted as fallback.

The cloud API key is disclosed and optional, but it can enable cloud analytics around management/team data and uses a legacy fallback credential name.

User impactEnabling the cloud key may grant the external service access to management data or analytics workflows associated with the user’s team.

RecommendationUse a dedicated, revocable API key; avoid legacy fallback keys unless needed; verify what data is uploaded before enabling cloud mode.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

"Memory storage": stores employee profiles, sentiment trends, and management decisions in OpenClaw local memory.

Persistent employee and management-decision data is central to the skill, but it is sensitive personnel context that may influence future recommendations.

User impactIncorrect, stale, or overly sensitive employee notes could affect later summaries, alerts, or management advice.

RecommendationStore only necessary employee data, define retention/deletion practices, and periodically review or clear local memory entries.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

README.md

"9 tools accessible via MCP for Claude Code, ChatGPT, and Gemini" including "list_employees" and "get_employee_profile"; "connect via https://manageaibrain.com/mcp"

The README describes employee-data tools exposed through MCP/HTTP to other AI clients, but the artifacts do not describe authentication, per-client permissions, or data-boundary controls.

User impactEmployee profiles, alerts, reports, or management state could be made available through external MCP clients if connected without proper controls.

RecommendationDo not connect the MCP endpoint to ChatGPT/Gemini/other clients until you verify authentication, scopes, logging, and which employee data each client can access.