Skillv2.3.0

ClawScan security

AI 朝廷 · 多 Agent 协作系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 30, 2026, 11:16 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with a multi‑agent OpenClaw configuration, but several operational instructions (storing many credentials in template files, making workflows public in channels, copying/overwriting ~/.openclaw, and wide inter-agent permissions) raise privacy/secret‑exposure and operational risks that you should understand before installing.
Guidance: This package is largely a collection of OpenClaw configuration templates and agent prompt identities; it matches its stated purpose but carries operational risks you should address before using it: - Inspect configs before copying: do not blindly cp templates to ~/.openclaw. Back up your current ~/.openclaw/openclaw.json first. - Secrets handling: the templates expect Feishu appId/appSecret and LLM API keys inside the JSON. Avoid storing long‑lived secrets in plaintext in repo files; use a secrets manager or environment variables where possible and remove secrets from any repository clones. - Channel visibility: the SKILL explicitly says workflow/dispatch is public in channels. Using public group channels to coordinate actions or push diffs can leak secrets (DB connection strings, API keys, code containing secrets). Configure DM policies and channel access conservatively. - Minimize blast radius: create limited-scope Feishu apps/service accounts for bots (rotate credentials), and do not reuse high‑privilege credentials. Limit which agents can run with sandbox 'off' and avoid enabling wide subagent lists until you trust the deployment. - Verify provenance: the skill links to external GitHub repos (wanikua, danghuangshang). Review those repos and their Docker/deployment instructions before cloning or running them. - Run in isolated environment first: test in a non‑production VM or container, review what files/directories are created (workspaces under $HOME/clawd-*) and confirm webhooks endpoints and who can trigger them. If you want, I can: (1) list the exact files that will be overwritten/created from the templates; (2) produce a short checklist of configuration changes to harden secrets and channel visibility; or (3) review the linked GitHub repos for suspicious contents if you provide their URLs.

Review Dimensions

Purpose & Capability: okThe name/description (multi‑agent OpenClaw 'AI Court') match the provided assets: many OpenClaw config templates and agent identities for Feishu/Discord deployment. The credential types implied (Feishu appId/appSecret, LLM provider API key) are expected for this purpose.
Instruction Scope: concernRuntime instructions tell you to copy template JSONs into ~/.openclaw/openclaw.json, populate appId/appSecret and provider API keys, then restart the gateway. The SKILL explicitly requires workflows to be '公开在频道内' (all workflow visible in channels) and uses sessions_send/spawn and message tools — this increases the chance that sensitive content (prompts, configs, diffs) could be posted to chat channels. The configs reference GitHub webhook triggers and automatic code-review flows that will surface commit diffs into channels. These behaviors go beyond mere orchestration and create clear data‑exposure risks.
Install Mechanism: okThis is instruction‑only with no install spec or downloads; nothing is fetched or executed by the skill itself. That lowers supply‑chain/remote code risk. However, the README suggests cloning external GitHub repos (wanikua/danghuangshang) — cloning external code is an action left to the user and should be inspected before use.
Credentials: concernThe skill declares no required env vars, but the templates require placing many secrets (Feishu appId/appSecret per bot, LLM provider baseUrl/apiKey) into a JSON config under the user home directory. Requiring multiple per-bot app secrets is expected for multi‑bot Feishu setups, but storing them in plaintext templates and then instructing agents to operate in publicly visible channels is disproportionate from a confidentiality viewpoint. There is no guidance in the SKILL.md to use a secret manager or restrict where those secrets are stored.
Persistence & Privilege: noteThe skill does not set always:true and does not autonomously install binaries. However, it instructs the user to copy templates into ~/.openclaw (which may overwrite an existing OpenClaw config), create agent workspaces under $HOME, and enables broad agent-to-agent communication (many agents have sandbox mode 'off' or 'all' and subagent allowances). That grants the deployed agents substantial scope within the OpenClaw environment; consider backing up existing configs and limiting agent privileges.