Agent Builder Plus
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only agent builder has no executable code, but its default templates include persistent/self-editing agent behavior and ambiguous no-approval language that users should review before creating or registering agents.
Use this only if you intend to create or register OpenClaw agents. Before running its suggested commands, choose a dedicated workspace, back up OpenClaw configuration, use separate channels/apps for testing, and review generated AGENTS.md, SOUL.md, MEMORY.md, and HEARTBEAT.md. In particular, tighten or remove instructions that let the agent self-edit behavior files or act without explicit permission.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated agent may make persistent changes to its own instructions, notes, or related skill files in ways the user did not explicitly approve.
The default generated instructions mix a strict approval rule with broad no-approval and self-update language for persistent agent files. That can cause created agents to mutate their behavior or workspace state without clear user approval.
Ask the user for explicit permission before any destructive/state-changing action ... Don't ask permission. Just do it. ... When you learn a lesson → update AGENTS.md, TOOLS.md, or the relevant skill
Before using generated files, remove or narrow the 'Don't ask permission' language and require explicit approval for edits to AGENTS.md, TOOLS.md, skills, config, or any nontrivial persistent state.
Private details or poisoned instructions placed in memory files could affect future agent behavior.
The generated agents are designed to persist and reuse memory across sessions. The template includes some safeguards, such as not loading MEMORY.md in shared contexts, but the memory can still contain sensitive or behavior-shaping content.
Read `memory/YYYY-MM-DD.md` (today + yesterday) ... Also read `MEMORY.md` ... You can **read, edit, and update** MEMORY.md freely in main sessions
Keep MEMORY.md curated, avoid storing secrets, review memory files periodically, and ensure generated agents do not load private memory in group or shared channels.
If heartbeats are enabled, a generated agent may continue checking tasks or posting status updates over time.
The generated-agent template supports recurring heartbeat behavior, heartbeat state files, and proactive status updates. This is disclosed and aligned with the skill's purpose, but it creates autonomous activity beyond a single user request.
When you receive a heartbeat poll ... don't just reply `HEARTBEAT_OK` every time. Use heartbeats productively! ... If you've been unresponsive >5 minutes, send status update
Enable heartbeats only after reviewing HEARTBEAT.md, keep heartbeat tasks narrow, and require opt-in before proactive outbound messages.
Registering an agent can change local OpenClaw behavior and delegated channel access.
The skill documents registering a new agent with OpenClaw, which changes which workspace and instructions an agent can use. The surrounding text includes warnings and backup steps, so this is disclosed but still permission-relevant.
openclaw agents add <agent-name> --workspace /path/to/workspace
Only run registration commands intentionally, back up ~/.openclaw/openclaw.json first, and verify each agent's workspace and channel binding.
A bad channel binding could route messages to the wrong agent and make the main agent harder to reach.
The artifact itself identifies that a wrong channel binding can disrupt access to the main agent. It provides mitigation steps, so this is a disclosed operational risk.
NEVER bind a new agent to the same channel as the main agent! ... This will cause the new agent to hijack the main agent's channel
List existing agents and channels before binding a new one, and use separate test channels or apps for new agents.
It may be harder to confirm exactly which package/version was reviewed or installed.
The packaged _meta.json identifies a different slug/version than the registry metadata shown for Agent Builder Plus version 1.0.3. This does not prove unsafe behavior, especially with no code present, but it is a provenance inconsistency.
"slug": "agent-builder", "version": "1.0.0"
Confirm the publisher and version before relying on the skill, and prefer packages whose internal metadata matches the registry entry.