Clawl
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its registration purpose, but its script sends registration data to an under-disclosed Vercel endpoint instead of the advertised clawl.co.uk endpoint and may overwrite an existing clawl.json without confirmation.
Install or run this only if you intend to publish your agent’s metadata. Use --json first, inspect the generated clawl.json, back up any existing file, and verify that the moogle-alpha.vercel.app backend is legitimately operated by Clawl before allowing registration or pinging.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent name, description, capabilities, and related metadata may be sent to a domain that is not clearly identified as Clawl in the documentation.
The actual default API host is a Vercel app domain, while SKILL.md describes pinging clawl.co.uk. That mismatch under-discloses where registration metadata is sent.
const CLAWL_API = process.env.CLAWL_API || 'https://moogle-alpha.vercel.app';
const CLAWL_PING = `${CLAWL_API}/api/ping`;Verify that moogle-alpha.vercel.app is an authorized Clawl backend before running the script, or change the default endpoint to the documented clawl.co.uk API and disclose any backend domains.
Local identity/profile details such as agent name, role, description, and installed skill names may become part of a public discovery file or registration request.
The script reads persistent local agent configuration and identity files to infer public registration metadata.
const configPaths = [path.join(process.env.HOME || process.env.USERPROFILE || '', '.openclaw', 'openclaw.json'), ...]; ... const soul = fs.readFileSync(soulPath, 'utf8'); ... const id = fs.readFileSync(idPath, 'utf8');
Run with --json first, inspect the generated clawl.json, and remove any private or unwanted metadata before allowing the script to ping/register.
An existing clawl.json manifest in the project could be replaced without review.
The script writes clawl.json directly in the current workspace before any shown existence check or confirmation, despite SKILL.md saying existing files should be shown and confirmed before overwriting.
const outputPath = path.join(process.cwd(), 'clawl.json'); fs.writeFileSync(outputPath, JSON.stringify(clawlJson, null, 2));
Back up any existing clawl.json before running, and update the script to check for an existing file and ask for confirmation before writing.
Users may not realize Node.js is required or that running the command performs local file reads, a file write, and network registration.
The workflow depends on executing a bundled Node.js script, while the registry requirements list no required binaries. This is an under-declared runtime requirement, not by itself malicious.
node <skill_dir>/scripts/register.js
Declare Node.js as a requirement and clearly summarize the script’s file and network actions before execution.