Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tool Connector
v1.0.2Connect OpenClaw to any external tool or service — Slack, GitHub, Jira, Confluence, Grafana, Datadog, PagerDuty, Outlook, Google Drive, and more. Also teache...
⭐ 1· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to connect to Slack, GitHub, Jira, Confluence, Grafana, Datadog, PagerDuty, Outlook, Google Drive, etc., and the repo contains setup recipes and scripts (Playwright SSO, sync utilities) appropriate to that goal. Requiring Python + Playwright and capturing SSO cookies/tokens is consistent with the stated approach. Minor oddity: setup text asks the user to git-clone a '10xProductivity' repo (placeholder), even though the skill bundle already includes scripts — slightly sloppy but not necessarily malicious.
Instruction Scope
Runtime instructions tell the agent to run headed Chromium via Playwright to capture session cookies/tokens (localStorage and network headers) and to write credentials into ~/.openclaw/openclaw.json and ~/.openclaw/tool-connector.env. The instructions also say OpenClaw will inject those tokens as env vars at session start. Capturing browser storage and network headers is powerful and sensitive; the SKILL.md explicitly instructs writing long-lived tokens and SSO cookies to disk — this expands the skill's effective access to broad account privileges and to any agent session that loads those envs.
Install Mechanism
No opaque downloads are used; the declared install is a pip package (playwright) with the standard 'playwright install chromium' post-install step. That will download Chromium, which is expected for the described SSO flows. This is a common but non-trivial installation (large binary download, browser runtime). The SKILL.md includes explicit post-install commands so behavior is transparent.
Credentials
The metadata lists many environment variables/tokens (GitHub, Jira, Confluence, Datadog, Slack cookies, Google Drive cookies, Graph tokens, etc.). Requesting these is proportional to a connector that supports many services, but the combination of long-lived API tokens and SSO cookies stored locally (and injected into sessions) is high-impact. The skill claims no external services are used, but storing broad credentials increases attack surface (local compromise, accidental leakage to other skills/agents).
Persistence & Privilege
The skill writes credentials to ~/.openclaw/openclaw.json and a plain-text ~/.openclaw/tool-connector.env and relies on OpenClaw to inject env vars into agent sessions. Although 'always' is false, these design choices create persistent, session-wide credentials that may be visible to other agent tasks or skills. The SKILL.md asserts the sync script only touches its own keys, but that is a trust assumption — the tools will have broad access while present.
What to consider before installing
This skill is coherent with its purpose (it needs tokens and Playwright to capture SSO), but it carries notable risks you should evaluate before installing:
- Review the included scripts (especially scripts/shared_utils/playwright_sso.py and scripts/openclaw_sync.py) yourself. The SKILL.md explicitly tells you to do this — do it. Look for any network calls to external hosts, telemetry, or hidden uploads.
- Minimize privileges: use short-lived or scoped tokens where possible. Avoid giving long-lived admin tokens; create tokens with read-only scopes needed for the agent's tasks.
- Isolate runtime: consider running this skill in an isolated environment (throwaway VM, container, or separate user account) rather than your primary workstation, since it captures browser session data and writes plaintext files.
- Protect stored secrets: if you proceed, ensure ~/.openclaw/openclaw.json and ~/.openclaw/tool-connector.env have strict filesystem permissions (owner-only) and are not backed up to cloud services or included in repos.
- Confirm 'everything stays local': search the scripts for any network POST/PUT targets that are not the expected tool endpoints. If you see any calls to unexpected URLs, do not run the skill.
- Consider alternatives: prefer built-in OAuth or short-lived app tokens if your organization permits them, or use ephemeral credentials created specifically for agent use that can be revoked quickly.
If you want, paste the contents of scripts/shared_utils/playwright_sso.py and scripts/openclaw_sync.py here and I will inspect them for external endpoints, obfuscated behavior, or obvious exfiltration.Like a lobster shell, security has layers — review code before you run it.
latestvk97a6f8bd0zjt6k7qpapckkq49838js8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.