Skillv1.0.8

ClawScan security

Team Dispatch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 1:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions largely match a multi‑agent orchestration purpose, but it asks an agent to autonomously run install/detection scripts that modify OpenClaw config, create persistent watchers/launch agents, and broaden subagent permissions — while declaring no credentials — which is a mismatch and warrants caution.
Guidance: This package contains many scripts and will modify your OpenClaw installation (create ~/.openclaw symlinks, write agent workspaces, edit openclaw.json, install a watcher/launchd job, and restart the Gateway). Before running anything or allowing an agent to execute the detection/install flow: 1) Inspect scripts/setup.sh, scripts/watch.sh, scripts/watch.py and publish-clawhub.mjs to see exactly what they do (file copies, edits, network calls, service restarts). 2) Backup ~/.openclaw/openclaw.json and any existing agent dirs. 3) Check for any hardcoded paths or placeholders (e.g., the plist uses literal HOME in some entries). 4) Confirm you are comfortable granting the skill permission to edit openclaw.json and to set main.subagents.allowAgents: ["*"], as this widens which subagents the main dispatcher can spawn. 5) If you do not want persistent watchers or automated gateway restarts, avoid running setup.sh or run it with a dry‑run / in a sandbox. 6) Verify which model/provider credentials are required (OAuth/API keys) — the skill doesn’t list them but will likely need provider access to function. If you are unsure, treat this as untrusted code and run inside an isolated environment or review with a sysadmin before installing.

Review Dimensions

Purpose & Capability: noteName/description (multi‑agent orchestration) match the included assets: agent templates, workspace files, watcher scripts and setup scripts. Creating agent workspaces, task directories, and a watcher is coherent for this purpose. However, the skill does not declare any required credentials or environment variables despite referencing provider models (openai-codex/gpt-5.4, OAuth) and including scripts that may call network tools (clawhub). That omission is disproportionate to the stated model/provider usage.
Instruction Scope: concernSKILL.md explicitly instructs the agent to run a detection/install flow and to execute bash <SKILL_DIR>/scripts/setup.sh automatically. The setup writes symlinks, copies templates into ~/.openclaw/agents, creates and edits ~/.openclaw/configs/team-dispatch.json and openclaw.json (agents.list), and restarts the Gateway. These instructions give the agent broad filesystem and configuration modification powers and the discretion to restart services; they also instruct creating persistent system scheduler entries (launchd/cron). While these actions are logically related to provisioning a dispatcher, instructing an agent to perform them automatically is high‑impact and should be confirmed by a human. The SKILL.md also asks to set main.subagents.allowAgents: ["*"], which widens allowed subagent permissions.
Install Mechanism: noteThere is no formal install spec in registry metadata (instruction-only), but the repository includes many scripts (setup.sh, watch.sh, watch.py, publish-clawhub.mjs) and assets (launchd plists). Running setup.sh will copy files into user home directories and create persistent scheduler entries. Because there is no registry install step, the potentially dangerous operations are performed by these included scripts when executed — inspect them before running. The install sources are local (in-repo), not external downloads.
Credentials: concernThe skill declares no required env vars or primary credential, yet SKILL.md configures models (openai-codex/gpt-5.4, oauth) and fallback providers and mentions running clawhub (which requires auth). The watcher and publish script could make outbound calls. Not declaring needed credentials is a mismatch: an operator will likely need provider credentials and gateway access for the provided functionality. Additionally, the skill writes configuration that may include model/provider fields into openclaw.json without documenting where provider secrets should come from.
Persistence & Privilege: concernThe setup flow writes to ~/.openclaw (skills symlink, agents, configs), edits the platform-wide openclaw.json agents.list (ensuring main exists and setting main.subagents.allowAgents: ["*"]) and restarts the Gateway. It also installs scheduler artifacts (launchd plist / watcher) and creates sessions directories. Those are persistent, platform‑wide changes and broaden the dispatcher/main agent's authority. While some persistence is expected for a dispatcher skill, changing agents.list and enabling '*' for subagents plus installing KeepAlive watchers increases the blast radius and should be explicitly authorized by the human operator.