Skip to main content

openclaw

Manages OpenClaw, a self-hosted gateway connecting messaging platforms to AI agents, covering installation, configuration, and routing.

Install this skill

or
29/100

Security score

The openclaw skill was audited on May 13, 2026 and we found 19 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 265

Template literal with variable interpolation in command context

SourceSKILL.md
265```yaml
medium line 268

Curl to non-GitHub URL

SourceSKILL.md
268curl -X POST "https://openclaw.example.com/hooks/ci-notify" \
medium line 7

Webhook reference - potential data exfiltration

SourceSKILL.md
7cron jobs in OpenClaw, set up webhooks, manage OpenClaw channels, pair a
medium line 10

Webhook reference - potential data exfiltration

SourceSKILL.md
10configuration, cron scheduling, webhooks, and sub-agents.
medium line 24

Webhook reference - potential data exfiltration

SourceSKILL.md
24Manage OpenClaw, an open-source self-hosted gateway that connects messaging platforms (WhatsApp, Telegram, Discord, Slack, Signal, iMessage) to AI coding agents. Covers the full lifecycle from install
medium line 131

Webhook reference - potential data exfiltration

SourceSKILL.md
131### Task E: Set up webhooks
medium line 133

Webhook reference - potential data exfiltration

SourceSKILL.md
133Enable webhook ingestion for external triggers:
medium line 250

Webhook reference - potential data exfiltration

SourceSKILL.md
250### Example 3: Webhook-triggered CI notifications to WhatsApp
low line 258

Webhook reference - potential data exfiltration

SourceSKILL.md
258enabled: true, token: "ci-webhook-secret-2024",
medium line 282

Webhook reference - potential data exfiltration

SourceSKILL.md
282- Webhook tokens should be stored securely and rotated periodically. Never use query string authentication.
medium line 24

Access to hidden dotfiles in home directory

SourceSKILL.md
24Manage OpenClaw, an open-source self-hosted gateway that connects messaging platforms (WhatsApp, Telegram, Discord, Slack, Signal, iMessage) to AI coding agents. Covers the full lifecycle from install
medium line 48

Access to hidden dotfiles in home directory

SourceSKILL.md
48Edit `~/.openclaw/openclaw.json` to enable channels. Each channel has `dmPolicy` (`pairing`, `allowlist`, `open`, `disabled`) and `groupPolicy` (`open`, `allowlist`, `disabled`).
low line 81

Access to hidden dotfiles in home directory

SourceSKILL.md
81{ id: "alfred", name: "Alfred", workspace: "~/.openclaw/workspace-alfred", default: true },
medium line 109

Access to hidden dotfiles in home directory

SourceSKILL.md
109Cron runs inside the gateway and persists jobs at `~/.openclaw/cron/`. Enable with `"cron": { "enabled": true }`.
medium line 200

Access to hidden dotfiles in home directory

SourceSKILL.md
200Config (`~/.openclaw/openclaw.json`):
low line 205

Access to hidden dotfiles in home directory

SourceSKILL.md
205workspace: "~/.openclaw/workspace",
low line 44

External URL reference

SourceSKILL.md
44The Control UI is accessible at `http://127.0.0.1:18789/` after the gateway starts.
low line 215

External URL reference

SourceSKILL.md
215Gateway started on http://127.0.0.1:18789/
low line 268

External URL reference

SourceSKILL.md
268curl -X POST "https://openclaw.example.com/hooks/ci-notify" \
Scanned on May 13, 2026
View Security Dashboard
Installation guide →
GitHub Stars 49
Rate this skill
Categorydevelopment
UpdatedMay 20, 2026
openclawapibackenddevops-srebackend-developertechnical-pmproduct-managergrowth-pmwhatsapptelegramdiscorddevelopmentproduct
TerminalSkills/skills