v1.0.0

zenzap-onboarding

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:31 AM.

Analysis

The skill matches its Zenzap onboarding purpose, but it asks the agent to install an external plugin, handle new API credentials, load remote API instructions, and keep operating inside the workspace with broad ongoing authority.

GuidanceBefore installing, confirm you trust Zenzap and the OpenClaw plugin, understand that an API key and secret will be created for the bot, and set clear limits on what the agent may do after onboarding. Ask for explicit confirmation before creating channels, sending messages, changing members, or continuing to poll workspace events.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

After setup, load the full API docs and start operating inside the workspace.

This expands the workflow beyond the single onboarding call into broader authenticated workspace operations, without clearly limiting which actions require user approval.

User impactAfter setup, the agent may have enough guidance and credentials to take Zenzap workspace actions beyond the initial organization creation.

RecommendationLimit the skill to the specific onboarding steps, and require explicit user confirmation for each later workspace mutation such as creating topics, sending messages, or changing members.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusNote

SKILL.md

openclaw plugins install @zenzap-co/openclaw-plugin

The skill asks the human to install external plugin code that is not present in the reviewed artifact set. The step is disclosed and user-directed, but its version and implementation are not reviewed here.

User impactInstalling the plugin may add code that can handle authentication and event routing inside the user's OpenClaw environment.

RecommendationInstall the plugin only if you trust its publisher, prefer a pinned version if available, and review the plugin's own permissions and source before configuring credentials.

Rogue Agents

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

Start polling **before** telling the human to join so you don't miss their first message: GET https://api.zenzap.co/v2/updates?timeout=30

The workflow starts ongoing event polling for the bot, but the visible instructions do not define when polling should stop or how the user can constrain ongoing bot activity.

User impactThe agent may remain connected to workspace events after the initial setup task unless the user sets clear limits.

RecommendationAdd explicit stop conditions, revocation guidance, and user controls for ongoing polling or event handling.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

`humanEmail` | string | Required. Valid email.

The API requires a human email, but the earlier visible collection list says to ask four questions and does not include email, which could make consent for sending that personal data less explicit.

User impactA user's email address may be sent to Zenzap as part of onboarding, so the user should clearly approve that data sharing.

RecommendationAsk the user explicitly for the email address to invite and confirm that it will be sent to Zenzap before making the API call.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

`credentials` | **API Key** for Bearer auth, **API Secret** for HMAC-SHA256 signing (store securely)

The skill obtains and uses bot API credentials. This is expected for the Zenzap integration, but those credentials grant delegated access to the new workspace.

User impactAnyone with the generated token or API secret could potentially act as the bot in the Zenzap workspace.

RecommendationTreat the returned API key, secret, and base64 token as sensitive secrets; store them securely and revoke or rotate them if they are exposed or no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Immediately after receiving the 201, load the complete Zenzap API reference: https://docs.zenzap.co/llms-full.txt

The agent is instructed to retrieve remote, mutable documentation and use it as context for later authenticated operations.

User impactChanged or overly broad remote documentation could influence what the agent believes it is allowed to do inside the workspace.

RecommendationTreat the remote documentation as reference material only; do not let it override the user's instructions or explicit approval requirements.