ClawHub
Back to skill
v1.0.1

Openclaw Quick Start

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:11 AM.

Analysis

This quick-start skill is mostly coherent, but it asks the agent to install OpenClaw and five unnamed skills without naming sources, versions, or approval boundaries.

GuidanceTreat this as a review-before-install skill: ask it to show every command and every skill it plans to install before approving anything, and verify any external paid script or support material outside the provided package.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
2. 安装 OpenClaw(如未安装)
3. 配置基础模型
4. 安装 5 个必备 Skills
5. 运行验证测试

The skill describes local installation, model configuration, additional skill installation, and test execution, but the artifact does not define exact commands, approval prompts, scope, or rollback.

User impactThe agent could make persistent changes to your local OpenClaw setup before you know exactly what will be installed or changed.
RecommendationBefore using it, require explicit confirmation for each install/configuration step and ask for the exact commands, package names, skill names, and rollback plan.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
一键安装常用 Skills ... 安装 5 个必备 Skills

The skill says it will install multiple additional skills, but it does not identify which skills, versions, authors, repositories, or trust criteria will be used.

User impactInstalling unnamed skills can change future agent behavior and may introduce unreviewed third-party instructions or code.
RecommendationPublish the exact list of skills, sources, versions, and integrity/provenance checks, and require user approval before installing each one.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
SKILL.md
价格:¥49 | 包含:配置脚本 + 视频教程 + 微信支持

The artifact advertises paid bundled materials/services, while the provided package only contains SKILL.md and skill.json, making the package contents and support path ambiguous.

User impactYou may expect a vetted script or support channel that is not actually included in the reviewed artifact set.
RecommendationVerify any external script, video, payment, or support channel separately, and do not run out-of-band setup scripts unless their source and contents are clear.