Back to skill
Skillv1.0.0
ClawScan security
Creem Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 11:23 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is generally coherent with being a Creem store operations agent, but several instruction/template inconsistencies and an automatic
- Guidance
- What to check before installing: - Review the included files yourself (you already have install.sh and scripts/heartbeat.py). The bundle does not download remote code, which reduces risk. - Be cautious about the CREEM_API_KEY: run the skill with a test API key or a key scoped to non-production access if possible. Limit permissions to the minimum required (read-only where possible; avoid keys that can create discounts or alter billing unless you explicitly want that). - The skill's docs and SOUL.md instruct it to automatically create winback discounts and draft emails without asking. If you do not want automated changes to your store (discount creation, billing updates), remove/modify those rules in SOUL.md and SKILL.md or intercept/require confirmation before such actions. - The template suggests automatic posting to Discord and use of webhooks (DISCORD_BOT_TOKEN, LOCAL_WEBHOOK_SECRET) but these env vars are not declared; ensure you do not accidentally provide these secrets to an environment where the skill will post publicly. - The heartbeat writes state to ~/.creem/heartbeat-state.json; inspect that file and its contents and consider its permissions. Rotate the API key if you suspect exposure. - Consider running the heartbeat script manually once (python3 scripts/heartbeat.py) with controlled credentials to observe behavior before enabling scheduled/autonomous runs. - If you accept the skill, explicitly review and tighten the OpenClaw gateway configuration (heartbeat frequency, allowed channels, whether the skill is enabled) so the agent cannot make frequent autonomous store-altering requests without oversight.
Review Dimensions
- Purpose & Capability
- noteThe name/description, required binaries (creem, curl, python3) and the CREEM_API_KEY env var match a Creem operations agent. However the included template/openclaw.json references DISCORD_BOT_TOKEN and LOCAL_WEBHOOK_SECRET (for posting to Discord and hooks) even though those env vars are not declared in the skill metadata — an inconsistency that could lead to unexpected external posting if the template is applied.
- Instruction Scope
- concernRuntime instructions require running the creem CLI and the bundled heartbeat.py (which reads/writes ~/.creem/heartbeat-state.json) — expected. But the skill contains explicit operational directives to automatically create winback discounts and draft emails without asking the user ('Do not ask for permission first. Produce the solution'), and the SKILL.md/HEARTBEAT.md tell the agent to post alerts to Discord. Automatically issuing POST requests that change store state (creating discounts) is an active operation with financial side effects and should require explicit user consent or tighter guardrails. The documents also direct the agent to curl external docs at creem.io (expected), and the heartbeat uses subprocess.run(shell=True) for CLI calls (works but is less safe than argv-style calls).
- Install Mechanism
- okNo network-installer or third‑party downloads. install.sh is local, makes the heartbeat executable and creates ~/.creem state directory. The install script does not fetch remote code or write to system-wide locations. Low installation risk.
- Credentials
- concernOnly CREEM_API_KEY is declared as required and that is appropriate for a Creem-admin skill. But templates reference other secrets (DISCORD_BOT_TOKEN, LOCAL_WEBHOOK_SECRET) that are not declared in the metadata — this is an inconsistency. The SKILL.md and SOUL.md instruct use of CREEM_API_KEY in API calls (e.g., curl to create discounts), so ensure the key has the minimal permissions necessary; storing the key in ~/.openclaw/.env (suggested by install.sh) could expose it to other local services if that file is widely read.
- Persistence & Privilege
- concernalways:false (good). However the provided openclaw.json template enables periodic heartbeats (every 30m) and enables the skill by default in the template. Combined with instructions that the agent should autonomously create discounts and post to Discord, that gives it the ability to make repeated automatic changes to the store and external channels. Autonomous invocation + auto-change behavior raises risk and should be reviewed/consented to by the operator.