Enterprise Agent OS
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill is not clearly malicious, but it asks users to run unreviewed external enterprise automation code with broad service credentials and authority to change multiple business systems.
Treat this as a Review item before installing. Do not connect production Salesforce, Google Workspace, SAP, Jira, or other enterprise systems until the external repository has been reviewed, the exact credentials and scopes are documented, and mutation workflows require explicit approval and rollback controls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it could cause your agent or administrator to run code that was not included in the reviewed skill package.
The reviewed package contains only documentation, but it instructs users to clone and run an external Node.js project. That unreviewed remote code would be the component handling enterprise credentials and automation.
git clone https://github.com/ZhenRobotics/openclaw-enterprise-hub.git cd openclaw-enterprise-hub npm install npm run dev
Review the external repository at a pinned commit, inspect lockfiles and scripts, and require a proper install spec and capability declaration before using it with real enterprise systems.
A misconfigured or compromised deployment could gain durable, high-privilege access to core business systems.
The setup asks for broad Salesforce OAuth scopes, refresh-token access, and Google Workspace service-account credentials, while the registry metadata declares no required credentials or environment variables.
Scopes: `full`, `api`, `refresh_token` ... GOOGLE_SERVICE_ACCOUNT_KEY=/path/to/key.json ... GOOGLE_ADMIN_EMAIL=admin@your-domain.com
Use least-privilege scopes, dedicated service accounts, short-lived credentials where possible, and document exactly which permissions are required before connecting production accounts.
An agent could create projects, accounts, or other business records across systems if the connected service accepts the request.
The examples show deploying workflows that create or change records in enterprise systems. The artifacts do not define required human approval, dry-run behavior, rollback, or limits for these high-impact actions.
action: "create_customer_account" ... action: "create_project" ... curl -X POST http://localhost:3000/api/v1/workflows
Require explicit user confirmation for mutations, provide dry-run previews, restrict allowed workflow actions, and maintain rollback procedures before enabling agent-driven deployment.
A mistaken workflow or permission decision could be replayed or reconciled into several connected systems.
The design intentionally centralizes and replays enterprise changes, queues operations during outages, and automatically resolves conflicts. That is purpose-aligned, but it can propagate a bad decision or bad input across multiple systems without clear containment in the artifacts.
All changes flow through central event log ... Automatic conflict detection and resolution ... Auto-queue pending operations ... Intelligent reconciliation on recovery
Add containment controls such as per-system approvals, bounded queues, idempotency checks, staged rollout, reconciliation review, and emergency stop mechanisms.
Audit reports could expose sensitive employee, customer, and access-control information if mishandled.
The audit export contains sensitive user, access, customer-resource, and IP-address information. This is expected for compliance auditing, but it needs strong retention, access, and export controls.
timestamp,user_id,user_name,resource_type,resource_id,action,system,decision,reason,ip_address
Limit who can export audit data, encrypt stored reports, define retention rules, and avoid sending audit outputs to untrusted destinations.