Huo15 Openclaw Enhance
WarnAudited by ClawScan on May 11, 2026.
Overview
This appears to be a broad OpenClaw enhancement plugin rather than a simple instruction-only skill, and its default-on local-data, file-sharing, skill-install/spawn, and shell-execution signals deserve careful review before use.
Install only if you want a full OpenClaw enhancement plugin and trust the publisher. Before enabling it, review the cc-bridge command-execution module, package/install scripts, memory/search settings, file-sharing routes, and skill installer/spawn features. Consider starting with minimal tool tier and disabling transcript search, native memory surfacing, scheduled tasks, and file sharing unless you specifically need them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think they are installing a simple skill while actually enabling a broad plugin with startup hooks and local integrations.
The supplied metadata frames this as instruction-only with unknown source, but the package contains a substantial runnable plugin codebase. That mismatch makes provenance and install behavior harder for users to assess.
Source: unknown ... No install spec — this is an instruction-only skill ... Code file presence: 56 code file(s)
Treat this as a full plugin install, not an instruction-only skill. Review the package source, package scripts, and OpenClaw plugin manifest before enabling it.
If the bridge can run local commands based on prompt/session content, mistakes or prompt manipulation could affect the user’s local environment.
The static scan indicates child_process usage in a keyword-dispatch bridge module, and the shown code parses prompt content. The visible artifacts do not clearly document the command boundaries or user approval model.
suspicious.dangerous_exec (critical) ... Shell command execution detected (child_process). Evidence: const m = /"sender_id"\s*:\s*"([^"]+)"/.exec(prompt);
Inspect this module before installation. Confirm any shell commands use fixed allowlisted executables/arguments, cannot be prompt-injected, and require explicit user approval for high-impact actions.
Past conversations and local memory files may be read, surfaced into context, or reused across tasks, which can expose sensitive information or amplify poisoned/incorrect memories.
The plugin can search private historical session transcripts and is default-enabled. Other visible configuration also enables structured memory and native memory surfacing by default.
"transcriptSearch": { ... "流式扫 ~/.openclaw/agents/<agent>/sessions/*.jsonl" ... "enabled": { "type": "boolean", "default": true } }Disable transcriptSearch, nativeMemorySurfacer, and auto memory features unless needed. Review what local paths are searched and periodically clear or audit stored memories.
Files selected for sharing can become reachable through a URL for the configured lifetime.
The file-sharing bridge intentionally exposes selected local files through temporary HTTP URLs. The README also documents safety gates such as path blacklists, tokenized URLs, size limits, and revocation.
`enhance_share_file(filePath, label?, expireHours?, copyMode?)` ... 返回临时 URL(默认 24h 过期)
Only share files you intend to expose, prefer short expirations, and use the revoke tool after the recipient downloads the file.
The agent may gain tools that create subagents or install additional skills, increasing the chance of unintended automation or supply-chain exposure.
The plugin registers default-enabled capabilities for subtask spawning and skill installation. These can change agent behavior or add execution surface, but the visible artifacts do not show clear confirmation or rollback boundaries.
name: "子任务派发", tier: 1, enabled: true, load: () => registerSpawnTask(api) ... name: "技能安装器", tier: 1, enabled: true, load: () => registerSkillInstaller(api)
Use the minimal tool tier where possible, confirm before installing recommended skills, and disable or restrict spawn/installer features if they are not required.
During large-file workflows, the agent may prioritize the plugin’s forced upload/check flow over alternative diagnostic responses.
The plugin deliberately injects strict instructions and required tool-use flow for the large-file upload case. This is disclosed and purpose-aligned, but it can override the agent’s normal reply choices in that scenario.
你的回复必须是下面这一段,一字不改 ... 此时你必须:1. 立即调用 enhance_upload_check({token: "2eaffa5d5569"}) 工具Keep this feature enabled only if the upload bridge is desired, and verify the generated upload URL belongs to the OpenClaw instance you trust.