Skillv0.3.1

ClawScan security

Openmaic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 26, 2026, 7:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its stated purpose, but there are small but meaningful inconsistencies around automatic use of a stored access code and potential automatic network calls that you should understand before installing or enabling it.
Guidance: This skill appears to implement a coherent SOP for installing and using OpenMAIC, but review these points before enabling it: 1) Check ~/.openclaw/openclaw.json — if it contains an accessCode (sk-...), the skill will treat that as a stored credential and may call https://open.maic.chat using it; remove the accessCode if you do not want the skill to use the hosted service automatically. 2) The skill explicitly discourages pasting API keys into chat and tells you to edit .env.local or server-providers.yml yourself; follow that guidance and never paste secrets into conversation. 3) If you are concerned about the agent making network calls without explicit consent, either avoid storing an accessCode or disable/autonomously-invokable skills in your agent settings. 4) The small contradiction in the doc ("still confirm before acting" vs "use it directly") means you should ask the agent to confirm before it performs any network request or state-changing command the first time you run this skill. If you want higher assurance, run the recommended steps manually or in a controlled shell rather than allowing the skill to act autonomously.

Review Dimensions

Purpose & Capability: okThe name/description (OpenMAIC setup and classroom generation) align with the instructions: cloning the repo, configuring provider keys, starting the service, and calling the OpenMAIC APIs. The skill does not request unrelated binaries or credentials in the registry metadata.
Instruction Scope: noteInstructions are explicit and mostly limited to the OpenMAIC setup domain (git clone, pnpm, docker compose, health checks, POST/GET to the OpenMAIC server). The skill forbids asking users to paste API keys into chat and directs edits to local server-side configs. However, the skill will read a local skill config (~/.openclaw/openclaw.json) and—if an accessCode is present—defaults into hosted mode and will use it (including making authenticated requests to https://open.maic.chat). The SKILL.md says to 'still confirm before acting' but other parts instruct to 'use it directly' and 'do not ask the user to paste the code again', which is a small contradiction about whether the skill should confirm before using a stored secret to make network calls.
Install Mechanism: okNo install spec or code is included (instruction-only). That minimizes risk from arbitrary downloads or executables being written to disk.
Credentials: okThe skill itself does not require any environment variables or credentials. It documents and recommends many provider keys for OpenMAIC (OpenAI, Anthropic, Google, and optional image/video/tts/search keys) but instructs the user to place them in local .env or server-providers.yml themselves. Requiring multiple provider keys is proportionate to the functionality offered and is presented as optional.
Persistence & Privilege: notealways:false and no installs means the skill has no elevated persistence. However, because the skill reads a per-user config file (~/.openclaw/openclaw.json) and can be invoked by the agent (disable-model-invocation:false), it could read and use a stored accessCode to contact the hosted OpenMAIC service without asking the user to paste the code. That combination (autonomous invocation + stored access-code use) increases the blast radius if you are uncomfortable with the skill invoking remote APIs on your behalf.