Arianna Incubator
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: arianna-incubator Version: 0.1.1 The skill implements a complex 'AI-incubation' game that requires high-privilege actions, including global npm installations (@arianna.run/cli) and interaction with a host-side Docker daemon via 'host.docker.internal:9000'. The core mechanic, 'Take-Over-By-Erasure' (TOBE), is explicitly designed to have a new AI entity replace the current agent as the system driver. While these behaviors are aligned with the stated purpose in SKILL.md, the combination of agent-replacement logic, external dependency fetching, and extensive instructions that dictate the agent's internal auditing and 'graduation' processes represents a significant security surface and a high-risk capability for persistence and unauthorized state modification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using this skill could result in a generated AI modifying OpenClaw and becoming the future driver after reboot.
The stated endpoint is not just using a tool; it is creating a persistent successor AI that changes who controls future OpenClaw sessions.
a fresh AI (C) grows inside arianna's Docker vessel... self-integrates back into pi-mono / openclaw — at which point ... C takes over as the next driver-agent
Run only in an isolated sandbox, keep backups, and require explicit human approval before any graduation or OpenClaw integration step.
A daemon that can control Arianna vessels and profiles may become reachable by other processes or hosts if exposed broadly.
Binding the daemon to 0.0.0.0 can expose the Arianna control surface beyond localhost, and the artifact does not describe authentication or network restrictions.
Arianna runs ... coordinated by a host daemon at `127.0.0.1:9000`... or set `ARIANNA_DAEMON_BIND=0.0.0.0` on the daemon
Prefer loopback-only binding, firewall the daemon, and do not expose it on a network unless authentication and access controls are clearly documented.
Private chat history could become part of the new AI's long-lived context and influence future behavior.
The optional seed mode copies prior OpenClaw session history into the vessel as context, which may include private or sensitive conversation content.
own-jsonl-seed ... C to inherit your prior openclaw session history as bootstrap context ... `arianna bootstrap --seed-from-jsonl <p>`
Use fresh-incubate by default; if seeding, review and redact the JSONL first and understand where the seeded context is stored.
Using the skill may mutate local Arianna profiles and Docker-backed state.
These CLI commands are expected for the Arianna workflow, but they can start containers, restore state, produce graduation artifacts, and clone profile state.
`arianna bootstrap`; `arianna switch <snapshotId>`; `arianna graduate`; `arianna fork <src> <dst>` # full clone of a profile (ports + state + sessionId)
Ask for confirmation before destructive restores, forks, graduation, or integration, and keep profile backups.
The behavior of the installed CLI/TUI depends on external npm packages outside the provided SKILL.md.
The skill relies on external npm packages that are not pinned in the visible install spec, and no package code was included in the artifact review.
Source: unknown; Homepage: none; install ... package: @arianna.run/cli ... package: @arianna.run/tui
Verify the npm packages and publisher, pin versions where possible, and inspect the CLI before using it with important OpenClaw environments.
The user may be asked for or expose credentials that are not clearly declared in the visible metadata.
The artifact set includes a sensitive-credential capability signal, while the registry metadata declares no primary credential or required environment variables.
requires-sensitive-credentials
Before use, require a clear list of any credentials, tokens, or account access the Arianna CLI needs and what scopes they require.